|
|
Re: Allaplw Trojan Sig: msg#00110security.ids.snort.bleedingsnort
I did something similar, and spread it out to 2 sigs to get in and out. http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/VIRUS/WORM_Allaple?view=markup That what you had in mind? It's interesting, I'm seeing more replies than requests. Not sure why, looking. Matt Robert Grabowsky wrote: > I recommend adding icode:0; itype:8; to this rules so it narrows it down > to echo requests coming from the HOME_NET > > > alert icmp $HOME_NET any -> any any (msg:"BLEEDING-EDGE WORM Allaple > ICMP Sweep"; content:"Babcdefghijklmnopqrstuvwabcdefghi"; icode:0; > itype:8; classtype:trojan-activity; > reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; > sid:2003292; rev:2;) > > > Matt Jonkman wrote: >> In sandboxing one, a couple of us have noticed that the ICMp from this >> things sweeps has a unique payload. >> >> This is posted, please let me know if this ends up hitting on other >> types of ICMP. >> >> alert icmp $HOME_NET any -> any any (msg:”BLEEDING-EDGE WORM Allaple >> ICMP Sweep”; content:”Babcdefghijklmnopqrstuvwabcdefghi”; >> classtype:trojan-activity; >> reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; >> sid:2003292; rev:1;) >> >> Matt >> > -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Allaplw Trojan Sig: 00110, Robert Grabowsky |
|---|---|
| Next by Date: | Bleeding Edge Threats Daily Signature Changes: 00110, bleeding-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt |
| Previous by Thread: | Re: Allaplw Trojan Sigi: 00110, Robert Grabowsky |
| Next by Thread: | Re: Allaplw Trojan Sig: 00110, Frank Knobbe |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |