Re: [Snort-sigs] Netsky.P Signature

From: Brian <bmc(at)snort.org>
Date: Mon Mar 22 2004 - 19:36:57 EST

On Mon, Mar 22, 2004 at 04:24:29PM -0600, Cam Beasley, ISO wrote:
> alert tcp any any -> any 25 (msg:"Netsky.P";

Or you could use my super signature :P BTW, this single rule is faster than the previous method of 19 different virus rules *AND* it detects more bad juju.

from virus.rules:

# We don't care about virus rules anymore.  BUT, you people won't stop
# asking us for virus rules.  So... here ya go.
#

# There is now one rule that looks for any of the following attachment # types: # # ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, # dot, emf, eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, # mdw, msi, msp, nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, # shs, swf, sys, vb, vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, # wps, wpz, wsc, wsf, wsh, xls, xlt, xlw #

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:6;)

Brian

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Mon Mar 22 19:47:30 2004