Snort mailing list archives

Re: Klez Incoming

From: "Jacob Redding" <Jacob () wiredgeek com>
Date: Wed, 13 Nov 2002 13:35:56 -0800 (PST)

Shane,
   The rule is found in virus.rules

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming";
flow:to_server,established; dsize:>120; content:"MIME";
content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:2;)

   Below is a copy-paste job from acid minus names and word content to
protect the innocent ;) 4th row contains the offending code.

   We use sybari Antigen for exchange. it did not report this particular
message as infected, our virus defs are up to date and it has reported
others.
<snip..snip>
Content-Type: audio/x-midi;...name=Address Book.pfc.scr..
Content-Transfer-Encoding: base64..Content-ID:
<ML572Y3j6iy3X>....TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9
ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v..ZGUuDQ0KJAAAAAAAAABxd
Tv8NRRVrzUUVa81FFWvTghZrzEUVa+2CFuvNxRVr90LX68gFFWv3QtR..rzcUVa9
XC0avPhRVrzUUVK+OFFWv3QterzoUVa+NElOvNBRVr1JpY2g1FFWvAAAAAAAAAFV
QRQA
<snip>

We average about 30-40 per day with around 1000 accounts.

Just to make sure, which rule are you using?  If you've got a copy of a
email that snort caught and your AV didn't, I'd be interested in seeing
a copy.

On Wed, 13 Nov 2002, Jacob Redding wrote:

  Everyday I am receiving about 2-3 "VIRUS Klez Incoming" alerts from
snort, but our virus protection program is not picking it up. I
believe this is a false positive as our virus defs are up to date.
Before I rule this as a false positive or start digging through
peoples mailboxes (privacy policy, blah blah), has any else had this
experience??


--
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                | Systems Administrator UT-GSLIS
=----------------------------------+------------------------------- All
syllogisms contain three lines |        shanew () gslis utexas edu
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew






-------------------------------------------------------
This sf.net email is sponsored by: Are you worried about 
your web server security? Click here for a FREE Thawte 
Apache SSL Guide and answer your Apache SSL security 
needs: http://www.gothawte.com/rd523.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Klez Incoming Jacob Redding (Nov 13)
- RE: Klez Incoming Gene Gomez (Nov 13)
- Re: Klez Incoming Shane Williams (Nov 13)
  - Re: Klez Incoming Jacob Redding (Nov 13)
    - Re: Klez Incoming Shane Williams (Nov 14)
- <Possible follow-ups>
- RE: Klez Incoming Jim O'Donald (Nov 13)
- RE: Klez Incoming Sean T. Ballard (Nov 14)
- RE: Klez Incoming Kreimendahl, Chad J (Nov 14)