Hosting Provided By

RE: [Snort-sigs] Does anyone have a working set of rules for the Fizzer Worm

From: Tinsley Paul <Paul.Tinsley(at)HCAhealthcare.com>
Date: Wed May 14 2003 - 18:37:25 EDT

I pulled these rules off of a virus vendor site I don't remember which one, sorry, or I would give them credit. One thing you may want to do is change the sid numbers, I use 900000s for any local rules I have:

alert tcp any any -> any any (msg:"W32.HLLW.Fizzer@mm"; content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|(|00|R|00|)|00| |00| W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|(|00|R|00|)|00| |00| S|00|y|00|s|00|t|00|e|00|m|00| |00|I|00|n|00|i|00|t"; nocase; content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00|e|00|x|00|e"; nocase; classtype:misc-activity; sid:900010; rev:1;)

alert udp any any -> any any (msg:"W32.HLLW.Fizzer@mm"; content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|(|00|R|00|)|00| |00| W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|(|00|R|00|)|00| |00| S|00|y|00|s|00|t|00|e|00|m|00| |00|I|00|n|00|i|00|t"; nocase; content:"l|00|s|00|e|00|r|00|v|00|c|00|.|00|e|00|x|00|e"; nocase; classtype:misc-activity; sid:900011; rev:1;)

alert tcp any any -> any 25 (msg:"W32.HLLW.Fizzer@mm"; content:"AHMAZQByAHYAYwAuAGUAeABl"; classtype:misc-activity; sid:900012; rev:1;)

alert tcp any any -> any 25 (msg:"W32.HLLW.Fizzer@mm"; content:"AGwAcwBlAHIAdgBjAC4AZQB4"; classtype:misc-activity; sid:900013; rev:1;)

alert tcp any any -> any 25 (msg:"W32.HLLW.Fizzer@mm"; content:"AbABzAGUAcgB2AGMALgBlAHg"; classtype:misc-activity; sid:900014; rev:1;)

I have only had these rules up and running for about 30 minutes so I can't speak to their accuracy, I wouldn't mind knowning if they help/hinder though.

P.S. - I think the vendor was Symantec.

Do you need help?

-----Original Message-----
From: Marty.Bostick@protective.com [mailto:Marty.Bostick@protective.com] Sent: Wednesday, May 14, 2003 3:27 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] Does anyone have a working set of rules for the Fizzer Worm

I need a working set of rules for the "Fizzer Worm"

Thanks

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed May 14 19:15:42 2003

This message: [ Message body ]
Next message: Joesph Bowling: "RE: [Snort-sigs] snort 2.0 problems"
Previous message: bmc(at)snort.org: "[Snort-sigs] snort-rules STABLE update @ Wed May 14 17:15:36 2003"
Reply: Chris Baker: "Re: [Snort-sigs] hi"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:28 EDT