Hosting Provided By

RE: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a? .....can you give me some pointers. (fwd)

From: daniel.clemens <daniel_clemens(at)autism.birmingham-infragard.org>
Date: Tue May 20 2003 - 06:25:05 EDT

I was playing around last night with some of these rules hoping to get some feedback from some friends.
I haven't gotten to test these in a production environment since I don't have the actual virus but thought I would pass along portions of the conversation for the list members consumption and possible some correction from Brian on the rule format.

> > alert tcp $EXTERNAL_NET any -> any 25 \
> > (flow:to_server,established;\

Well, I was thinking From:support@microsoft.com, when I had the ':' char in there i kept getting the following error:

ERROR: /usr/local/snort/rules//local.rules(12) => ParsePattern Got Null enclosed in quotation marks (")! if I had it setup like so:

alert tcp $EXTERNAL_NET any -> any 25 \ (flow:to_server,established;\
content:"From:support@microsoft.com";nocase;\ content:"| 2E 70 69 66 |"; distance: 4; within: 4;\ byte_test: 4, >, 15,0,relative,string;\ msg:"Incoming manhkX worm to mail server";)

So I thought I would have the 'from' and then support@microsoft.com, and have the two patterns one byte away from each other since I was assuming there would probably be a : char between the two..(but i kept getting that error'... i guess I should read up on why I can' t put that in there but i kinda hacked the sig to get it to work...

patience is a virtue sometimes..

Do you need help?

-Daniel Uriah Clemens

Esse quam videra

(to be, rather than to appear)
http://www.birmingham-infragard.org | 2053284200 | 877.806.8928

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue May 20 12:02:19 2003

This message: [ Message body ]
Next message: Brian: "Re: [Snort-sigs] install.php?phpbb_root_dir=http:// sig?"
Previous message: Robert Reid: "RE: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?"
In reply to bmc(at)snort.org: "[Snort-sigs] snort-rules CURRENT update @ Tue Mar 4 15:08:40 2003"
Next in thread: Dale L. Handy: "Re: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a? .....can you give me some pointers. (fwd)"
Reply: Dale L. Handy: "Re: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a? .....can you give me some pointers. (fwd)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:29 EDT