I am going to suggest the use of mine over the one you posted using
pcre as there are more name variations out there than you have in the
sig. Thats why I used "within" to try and catch more randomization in
the file name. Granted mine will fire on any *price*.zip file (with
no longer than 10 characters before or after price) but there will be
less false negatives.
A better way, IMHO, (NOTE: I haven't tried this) in pcre would be
something like content:"filename=";
pcre:"m/[\w\d\._-]*price[\w\d\._-]*\.zip/" (I threw in . and - in
case they end up in later versions, right now i am not seeing any with
those characters, mainly one ore more underscores separating numbers
and words.
The other thing you need to be careful with is the fact that this worm
finds email addresses on the box it infects and looks at the MX record
of the domain it is sending mail to. If your users don't have many
external contacts most of the attacks will be on internal addresses.
If your MX mail servers live inside of your HOME_NET and you have a
default EXTERNAL_NET (!$HOME_NET,) you won't fire if the worm is using
your servers to send mail.
Another thing that might help reduce false positives, if you are only
looking for infected clients is to make a pass copy of the rule:
pass $SMTP_SERVERS any -> any 25 (rule junk here...)
That way if you have servers relaying between each other they won't
look like infected clients.
Thanks,
Paul Tinsley
On Mon, 09 Aug 2004 16:57:51 -0500, Matthew Jonkman <matt@infotex.com> wrote:
We've got a few more on bleedingsnort.com as well, the first was up
about 3 and a half hours ago. I think my posts on it are still coming to
the list.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Bagle Variant Requesting 2.jpg";
reference:url,http.isc.sans.org/diary.php?date=2004-08-09; content:"GET
/2.jpg"; sid:2001061; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
Bagle Variant Checking In";
reference:url,vil.nai.com/vil/content/v_127423.htm;
uricontent:"/spyware.php"; sid:2001064; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
Possible Bagle.AQ Worm Outbound"; content:"filename=";
pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/";
nocase; sid:2001065; rev:1;)
Matt
Paul Tinsley wrote:
Comments welcome, as I said written in a hurry, seems to work in my
environment just fine. If you are sitting somewhere that you can see
traffic between mail servers you may need to add a pass rule for the
mail servers as a source so they don't show up as infected sources.
alert tcp any any -> any 25 (msg:"Price Virus traffic
(WORM_Bagle.AC)"; sid:1200035; rev:1;
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AC;
content:"filename="; content:"price"; within: 10; content: ".zip";
within: 10;)
Thanks,
Paul Tinsley
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
