Paul Tinsley wrote:
I am going to suggest the use of mine over the one you posted using
pcre as there are more name variations out there than you have in the
sig. Thats why I used "within" to try and catch more randomization in
the file name. Granted mine will fire on any *price*.zip file (with
no longer than 10 characters before or after price) but there will be
less false negatives.
I'd agree, but I don't see any docs showing that there are any other
filenames in use for this particular worm. If there were variations your
way would certainly be better, and definitely more elegant. :)
But I think for this one if the filenames stay in this range they'll be
reliably caught with this method.
But of course if there is evidence somewhere that there are more
variations we can change over to your method.
The other thing you need to be careful with is the fact that this worm
finds email addresses on the box it infects and looks at the MX record
of the domain it is sending mail to. If your users don't have many
external contacts most of the attacks will be on internal addresses.
If your MX mail servers live inside of your HOME_NET and you have a
default EXTERNAL_NET (!$HOME_NET,) you won't fire if the worm is using
your servers to send mail.
THat's a good point. Hopefully we'd catch the multiple smtp connections
for the mail being sent with other rules in effect, but if they're on
exchange we'd not see that. But the odds of not having a single external
domain on a box are pretty slim. I think every box would have at least
microsoft.com, or whatever mail client they're using in there somewhere.
What would be ideal is a packet dump of the actual worm binary that we
could extract a unique string from and look for that on all ports, but
that would be a lot of overhead for snort so string match every packet
on every port.
Another thing that might help reduce false positives, if you are only
looking for infected clients is to make a pass copy of the rule:
pass $SMTP_SERVERS any -> any 25 (rule junk here...)
Very good point. I'll leave that out of the bleeding rules though to
avoid confusion.
Thanks very much for the ideas. Much appreciated.
Matt
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
