Snort mailing list archives

Re: Klez Incoming

From: Shane Williams <shanew () shanew net>
Date: Thu, 14 Nov 2002 08:18:50 -0600 (CST)

-----BEGIN PGP SIGNED MESSAGE-----

I've been using the following rule for about 9 months now and I
haven't seen any false positives (I'm also using it as a system-wide
procmail filter and I check for false positives there), nor has anyone
reported a false positive with this sig.

I purposely put in some of the carriage returns so it's less likely to
set off people's filters.  Note also that I want to know if it's
leaving my network as well as coming in.

# Catch Klez in SMTP
alert tcp any any -> any 25 (msg:"Virus - Klez"; 
content:"135AAItEjhyJRI8ci0SOGI
lEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE"; sid:10012;
classtype:misc-activity; rev:1;)

If you get either false negatives or positives, please let me know.

For the snort-sig people.  Could someone replace the one Jacob points
out below with the one above, or tell me how I can do it.  Looking
over the list archives there are repeated complaints about false
positives with the one below.

On Wed, 13 Nov 2002, Jacob Redding wrote:

Shane,
   The rule is found in virus.rules

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming";
flow:to_server,established; dsize:>120; content:"MIME";
content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:2;)

   Below is a copy-paste job from acid minus names and word content to
protect the innocent ;) 4th row contains the offending code.

   We use sybari Antigen for exchange. it did not report this particular
message as infected, our virus defs are up to date and it has reported
others.
<snip..snip>
Content-Type: audio/x-midi;...name=Address Book.pfc.scr..
Content-Transfer-Encoding: base64..Content-ID:
<ML572Y3j6iy3X>....TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9
ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v..ZGUuDQ0KJAAAAAAAAABxd
Tv8NRRVrzUUVa81FFWvTghZrzEUVa+2CFuvNxRVr90LX68gFFWv3QtR..rzcUVa9
XC0avPhRVrzUUVK+OFFWv3QterzoUVa+NElOvNBRVr1JpY2g1FFWvAAAAAAAAAFV
QRQA
<snip>

We average about 30-40 per day with around 1000 accounts.

Just to make sure, which rule are you using?  If you've got a copy of a
email that snort caught and your AV didn't, I'd be interested in seeing
a copy.

On Wed, 13 Nov 2002, Jacob Redding wrote:

  Everyday I am receiving about 2-3 "VIRUS Klez Incoming" alerts from
snort, but our virus protection program is not picking it up. I
believe this is a false positive as our virus defs are up to date.
Before I rule this as a false positive or start digging through
peoples mailboxes (privacy policy, blah blah), has any else had this
experience??


--
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                | Systems Administrator UT-GSLIS
=----------------------------------+------------------------------- All
syllogisms contain three lines |        shanew () gslis utexas edu
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew






-------------------------------------------------------
This sf.net email is sponsored by: Are you worried about 
your web server security? Click here for a FREE Thawte 
Apache SSL Guide and answer your Apache SSL security 
needs: http://www.gothawte.com/rd523.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- -- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                | Systems Administrator UT-GSLIS
=----------------------------------+-------------------------------
All syllogisms contain three lines |        shanew () gslis utexas edu
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPdOwzma83yV7vGjZAQHTcwP/dDfjRrbkZv1O44kbQQCh0bwCl9p054ko
ylsa2sfUucz0HByym6NzfiwogNOmxw7uMnCgaB9ksQ2QnKa2ZB+xFZYiKk6g0tOi
Sf9yXQ+jbxlOG40rcVosk7mBExN+ylY/vhsr2Ar890aAQPYanNwKWUAWfmtE7TyU
a8ED4zlULhY=
=9o6e
-----END PGP SIGNATURE-----



-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Klez Incoming Jacob Redding (Nov 13)
- RE: Klez Incoming Gene Gomez (Nov 13)
- Re: Klez Incoming Shane Williams (Nov 13)
  - Re: Klez Incoming Jacob Redding (Nov 13)
    - Re: Klez Incoming Shane Williams (Nov 14)
- <Possible follow-ups>
- RE: Klez Incoming Jim O'Donald (Nov 13)
- RE: Klez Incoming Sean T. Ballard (Nov 14)
- RE: Klez Incoming Kreimendahl, Chad J (Nov 14)