Snort mailing list archives
Re: Klez Incoming
From: Shane Williams <shanew () shanew net>
Date: Thu, 14 Nov 2002 08:18:50 -0600 (CST)
-----BEGIN PGP SIGNED MESSAGE----- I've been using the following rule for about 9 months now and I haven't seen any false positives (I'm also using it as a system-wide procmail filter and I check for false positives there), nor has anyone reported a false positive with this sig. I purposely put in some of the carriage returns so it's less likely to set off people's filters. Note also that I want to know if it's leaving my network as well as coming in. # Catch Klez in SMTP alert tcp any any -> any 25 (msg:"Virus - Klez"; content:"135AAItEjhyJRI8ci0SOGI lEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE"; sid:10012; classtype:misc-activity; rev:1;) If you get either false negatives or positives, please let me know. For the snort-sig people. Could someone replace the one Jacob points out below with the one above, or tell me how I can do it. Looking over the list archives there are repeated complaints about false positives with the one below. On Wed, 13 Nov 2002, Jacob Redding wrote:
Shane, The rule is found in virus.rules alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; flow:to_server,established; dsize:>120; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:2;) Below is a copy-paste job from acid minus names and word content to protect the innocent ;) 4th row contains the offending code. We use sybari Antigen for exchange. it did not report this particular message as infected, our virus defs are up to date and it has reported others. <snip..snip> Content-Type: audio/x-midi;...name=Address Book.pfc.scr.. Content-Transfer-Encoding: base64..Content-ID: <ML572Y3j6iy3X>....TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9 ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v..ZGUuDQ0KJAAAAAAAAABxd Tv8NRRVrzUUVa81FFWvTghZrzEUVa+2CFuvNxRVr90LX68gFFWv3QtR..rzcUVa9 XC0avPhRVrzUUVK+OFFWv3QterzoUVa+NElOvNBRVr1JpY2g1FFWvAAAAAAAAAFV QRQA <snip>We average about 30-40 per day with around 1000 accounts. Just to make sure, which rule are you using? If you've got a copy of a email that snort caught and your AV didn't, I'd be interested in seeing a copy. On Wed, 13 Nov 2002, Jacob Redding wrote:Everyday I am receiving about 2-3 "VIRUS Klez Incoming" alerts from snort, but our virus protection program is not picking it up. I believe this is a false positive as our virus defs are up to date. Before I rule this as a false positive or start digging through peoples mailboxes (privacy policy, blah blah), has any else had this experience??-- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | Systems Administrator UT-GSLIS =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () gslis utexas edu Therefore this is not a syllogism | www.gslis.utexas.edu/~shanew------------------------------------------------------- This sf.net email is sponsored by: Are you worried about your web server security? Click here for a FREE Thawte Apache SSL Guide and answer your Apache SSL security needs: http://www.gothawte.com/rd523.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | Systems Administrator UT-GSLIS =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () gslis utexas edu Therefore this is not a syllogism | www.gslis.utexas.edu/~shanew -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPdOwzma83yV7vGjZAQHTcwP/dDfjRrbkZv1O44kbQQCh0bwCl9p054ko ylsa2sfUucz0HByym6NzfiwogNOmxw7uMnCgaB9ksQ2QnKa2ZB+xFZYiKk6g0tOi Sf9yXQ+jbxlOG40rcVosk7mBExN+ylY/vhsr2Ar890aAQPYanNwKWUAWfmtE7TyU a8ED4zlULhY= =9o6e -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Klez Incoming Jacob Redding (Nov 13)
- RE: Klez Incoming Gene Gomez (Nov 13)
- Re: Klez Incoming Shane Williams (Nov 13)
- Re: Klez Incoming Jacob Redding (Nov 13)
- Re: Klez Incoming Shane Williams (Nov 14)
- Re: Klez Incoming Jacob Redding (Nov 13)
- <Possible follow-ups>
- RE: Klez Incoming Jim O'Donald (Nov 13)
- RE: Klez Incoming Sean T. Ballard (Nov 14)
- RE: Klez Incoming Kreimendahl, Chad J (Nov 14)