RE: [Snort-users] NetSky worm signature definition...!!!

permalink · #1 (**permalink**) 02-20-2004

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C3F74F.2A125F30
Content-Type: text/plain;
charset="iso-8859-1"

I agree with what shane mentioned and was hopping a more specific signature
that look into the payload. I mean if the virus is been caught and someone
found out that the payload contains certain sequence of values that identify
this worm.

Best Regards

Ohanes Semerjian

-----Original Message-----
From: Shane Williams [mailto:shanew@shanew.net]
Sent: Friday, February 20, 2004 10:31 AM
To: Tim Hergert
Cc: Semerjian, Ohanes; snort-users@lists.sourceforge.net
Subject: RE: [Snort-users] NetSky worm signature definition...!!!

I would strongly discourage this rule to catch Klez, NetSky or any
virus, for that matter. Running the string through some archived
mail, I'm seeing lots of false positives, particularly in (legitimate)
word documents.

I'll see what I can do to come up with something that reduces false
positives.

On Thu, 19 Feb 2004, Tim Hergert wrote:

> Having a portion that is a mass mailer, you'll see it come in on port 25
for
> sure . . .
>
> Using Matt Kettler's suggestion, I quickly kluged together a rule using
the
> clam av signature
> http://www.clamav.net/
>
> However, the old Klez detection rule seems to be triggered by NetSky, and
> the log times seem to correlate exactly with the logs from the antivirus
> software on the mail server.
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez
Incoming";
> flow:to_server,established; dsize:>120;content:"MIME";
> content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:3;)
>
> Seems to work well for me, but maybe I'm just lucky.
>
>
> -----Original Message-----
> From: Semerjian, Ohanes [mailto:ohanes.semerjian@au.mci.com]
> Sent: February 18, 2004 8:23 PM
> To: snort-users@lists.sourceforge.net
> Subject: [Snort-users] NetSky worm signature definition...!!!
>
>
> Hello all,
> Just was wondering if any one had this latest worm signature defined or
know
> it works (like which port, protocol it uses )
> Best Regards
> Ohanes Semerjian
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users
>

--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew

------_=_NextPart_001_01C3F74F.2A125F30
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">

<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2654.89">
<TITLE>RE: [Snort-users] NetSky worm signature definition...!!!</TITLE>
</HEAD>
<BODY>

I agree with what shane mentioned and was hopping a =
more specific signature that look into the payload. I mean if the virus =
is been caught and someone found out that the payload contains certain =
sequence of values that identify this worm. 
 

Best Regards


Ohanes Semerjian

 

-----Original Message-----
 From: Shane Williams [<A =
HREF=3D"mailto:shanew@shanew.net">mailto:shanew@sh anew.net</A>]
 Sent: Friday, February 20, 2004 10:31 AM
 To: Tim Hergert
 Cc: Semerjian, Ohanes; =
snort-users@lists.sourceforge.net
 Subject: RE: [Snort-users] NetSky worm signature =
definition...!!!

 

I would strongly discourage this rule to catch Klez, =
NetSky or any
 virus, for that matter.  Running the string =
through some archived
 mail, I'm seeing lots of false positives, =
particularly in (legitimate)
 word documents.


I'll see what I can do to come up with something that =
reduces false
 positives.


On Thu, 19 Feb 2004, Tim Hergert wrote:


> Having a portion that is a mass mailer, you'll =
see it come in on port 25 for
 > sure . . . 
 > 
 > Using Matt Kettler's suggestion, I quickly =
kluged together a rule using the
 > clam av signature
 > <A HREF=3D"http://www.clamav.net/" =
TARGET=3D"_blank">http://www.clamav.net/</A>
 > 
 > However, the old Klez detection rule seems to =
be triggered by NetSky, and
 > the log times seem to correlate exactly with =
the logs from the antivirus
 > software on the mail server.
 > 
 > alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS =
25 (msg:"VIRUS Klez Incoming";
 > flow:to_server,established; =
dsize:>120;content:"MIME";
 > content:"VGhpcyBwcm9"; =
classtype:misc-activity; sid:1800; rev:3;)
 > 
 > Seems to work well for me, but maybe I'm just =
lucky.
 > 
 > 
 > -----Original Message-----
 > From: Semerjian, Ohanes [<A =
HREF=3D"mailto:ohanes.semerjian@au.mci.com">mailto :ohanes.semerjian@au.m=
ci.com</A>]
 > Sent: February 18, 2004 8:23 PM
 > To: snort-users@lists.sourceforge.net
 > Subject: [Snort-users] NetSky worm signature =
definition...!!!
 > 
 > 
 > Hello all, 
 > Just was wondering if any one had this latest =
worm signature defined or know
 > it works (like which port, protocol it uses =
)
 > Best Regards 
 > Ohanes Semerjian 
 > 
 > 
 > =
-------------------------------------------------------
 > SF.Net is sponsored by: Speed Start Your Linux =
Apps Now.
 > Build and deploy apps & Web services for =
Linux with
 > a free DVD software kit from IBM. Click =
Now!
 > <A =
HREF=3D"http://ads.osdn.com/?ad_id=3D1356&alloc_id=3D3438&op=3Dclick" =
TARGET=3D"_blank">http://ads.osdn.com/?ad_id=3D1356&al...=3D3438&op=3D=
click</A>
 > =
_______________________________________________
 > Snort-users mailing list
 > Snort-users@lists.sourceforge.net
 > Go to this URL to change user options or =
unsubscribe:
 > <A =
HREF=3D"https://lists.sourceforge.net/lists/listinfo/snort-users" =
TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo/snort-use=
rs</A>
 > Snort-users list archive:
 > <A =
HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-users" =
TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?list=3Dsnort-u=
sers</A>
 > 


-- 
 Public key #7BBC68D9 =
at             =
|        & nbsp;  &nbsp=
;     Shane Williams
 <A HREF=3D"http://pgp.mit.edu/" =
TARGET=3D"_blank">http://pgp.mit.edu/</A>     &=
nbsp;       &nb sp;  =
|      System Admin - UT iSchool
 =3D----------------------------------+-------------------------=
------
 All syllogisms contain three lines =
|        & nbsp;  &nbsp=
;  shanew@shanew.net
 Therefore this is not a syllogism  | =
www.ischool.utexas.edu/~shanew


</BODY>
</HTML>
------_=_NextPart_001_01C3F74F.2A125F30--

-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode