If you search the wiki for "storm worm" there are a number of hits, some
of the rules are gone now though (failed experiments on just tracking
dsize in udp).
But these two ought to catch what you're looking for:
http://doc.emergingthreats.net/bin/view/Main/2007701
http://doc.emergingthreats.net/bin/view/Main/2007702
And if you run the regular edonkey sigs you'll catch the old
non-encrypted variant quite well.
http://doc.emergingthreats.net/bin/view/Main/WebSearch?search=edonkey
As for the search: what can I do to make that easier? Did you just
search the main site vs the wiki?
matt
Paul Schmehl wrote:
--On Wednesday, February 13, 2008 13:54:13 -0800 Matt Jonkman
<jonkman@jonkmans.com> wrote:
We've had this one covered in emerging threats sigs (botht he regular
edonkey and the encrypted ones) for a very long time now.
Were you running these, and if so were they not hitting?
No, I don't run the emerging threats rules. I tried searching for storm worm
on your site, but I didn't find rules that address this particular packet
sig.
Perhaps I'm not searching correctly?
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
