'[Snort-sigs] Nail worm'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Nail worm
From:       "Ian Macdonald" <secsnortsigs () dirk ! demon ! co ! uk>
Date:       2002-08-14 21:11:32
[Download RAW message or body]

Just got a few false positives from the nail worm

from the http://vil.mcafee.com/dispVirus.asp?virus_k=10109  the subject line
can be made up of
'Good Times'
'New Developments'
'WWIII !'
'Market share tipoff...'

alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4D
61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|";
reference:MCAFEE,10109; sid:741;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:
"|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|"; reference:MCAFEE,10109; sid:742;
classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4E
65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|"; reference:MCAFEE,10109;
sid:743;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|47
6F 6F 64 20 54 69 6D 65 73|"; reference:MCAFEE,10109; sid:744;
classtype:misc-activity; rev:3;)

so to reduce false positives we should probably do

alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm (Market share
tipoff)"; content:"Subject: |4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70
6F 66 66|"; reference:MCAFEE,10109; sid:741;  classtype:misc-activity;
rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm (name
="WWII!)"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|";
reference:MCAFEE,10109; sid:742;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm (New
Developments)"; content:"Subject: |4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E
74 73|"; reference:MCAFEE,10109; sid:743;  classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm (Good Times)";
content:"Subject: |47 6F 6F 64 20 54 69 6D 65 73|"; reference:MCAFEE,10109;
sid:744;  classtype:misc-activity; rev:3;)

I think there might be a typo in sid:742 I think the content should be
"Subject: WWIII !"
I do not original packets for these sigs, I am just working from the
information on the MCAFEE web site in the hope of reducing false positives

Ian



-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic