Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 04 > 031517.html (Request Expert snort.org Support)

Re: [Snort-sigs] Netsky.P Signature

From: <Mark.Schutzmann(at)Omron.com>
Date: Tue Mar 23 2004 - 09:03:26 EST

I can't wait for all of the FP's on this one... but at least it will be fast ;-) 

                                                                                                                                                 
                      Brian                                                                                                       
                      Sent by:                           To:       "Cam Beasley, ISO"                                     
                      snort-sigs-admin@lists.sour        cc:       snort-sigs@lists.sourceforge.net                                              
                      ceforge.net                        Subject:  Re: [Snort-sigs] Netsky.P Signature                                           
                                                                                                                                                 
                                                                                                                                                 
                      03/22/2004 06:36 PM

On Mon, Mar 22, 2004 at 04:24:29PM -0600, Cam Beasley, ISO wrote:
> alert tcp any any -> any 25 (msg:"Netsky.P";
> content:"EtLD/LKApGoCW/8UJHP3M8n/FCRzGDPA/xQkcyGzAkGwEP8UJBLAc/l1P6rr3Oh
> DAAAAK8t1";
> classtype:misc-attack; rev:1;)

Or you could use my super signature :P BTW, this single rule is faster than the previous method of 19 different virus rules *AND* it detects more bad juju.

from virus.rules: 

# We don't care about virus rules anymore.  BUT, you people won't stop
# asking us for virus rules.  So... here ya go.
#
# There is now one rule that looks for any of the following attachment
# types:
#
#   ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll,
#   dot, emf, eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde,

Do you need help?X

#   mdw, msi, msp, nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr,
#   shs, swf, sys, vb, vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm,
#   wps, wpz, wsc, wsf, wsh, xls, xlt, xlw
#

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase;
pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR";  classtype:suspicious-filename-detect; sid:721; rev:6;)

Brian


This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue Mar 23 11:17:53 2004

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:39 EDT

Do you need more help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library