Paul Schmehl wrote:
OK, this is more like it.
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN
Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6 d4
c3|";
depth:4; threshold: type both, count 1, seconds 60, track by_src;
classtype:trojan-activity; sid:2007701; rev:2;)
But there's no offset, so it could still false positive *and* the d4 c3 won't
be in every packet (as you can see from the capture that I posted) whereas
the
10 a6 will be in every packet (10 a6 is the encrypted protocol signature for
eDonkey.)
The depth anchors the first content match to be the first 4 bytes of the
packet, so that avenue of FPs is handled.
But these storm packets as far as I know aren't using the edonkey
encrypted protocol, they're just XORing the entire packet against a
40-bit key. Joe Stewart reversed it and I wrote these sigs based upon
his paper posted somewhere on the secureworks site.
I would be surprised if this is the regular edonkey encryption
protocols, but it's certainly possible. Do you have a spec handy on the
encryption portion of the proto?
Matt
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
