Snort mailing list archives
Re: Bripia worm
From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 02 Feb 2005 21:08:33 -0500
At 08:11 PM 2/2/2005, Cesar Sanabria Pineda wrote:
Hi, i have a virus spreading through messenger it seems like bropia.worm, is there any snort rule to detect this worm?
None that I've seen, but you might be able to hack the MSN messenger file-transfer rule from bleeding snort (sid: 2001241) to detect any attempts to MSN a .pif file by adding to the end.. "content:".pif"; distance:40;"
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"BLEEDING-EDGE CHAT MSN PIF file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; distance:0; nocase; content:"text/x-msmsgsinvite"; distance:0; nocase; content:"Application-Name|3A|"; content:"File Transfer"; distance:0; content:".pif"; distance:40; nocase; classtype:policy-violation; priority:1; sid:xxxx; rev:1;)
Note: I've mangled the sid above to avoid re-use of the bleeding-edge SID for the original rule, please pick a SID in the 1,000,000+ range.
Disclaimer: I've not tested this, as I don't have this worm roaming my network. I've also never tested the original rule, this is entirely a theory anyway.
------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bripia worm Cesar Sanabria Pineda (Feb 02)
- Re: Bripia worm Matt Kettler (Feb 02)