Snort mailing list archives

Re: Fizzer Worm Signature

From: Michael Bell <michael.bell () cms hu-berlin de>
Date: Tue, 13 May 2003 12:04:41 +0200

Ty Bodell wrote:

Hello community i was wondering (might be too early) but if anyone
has a signature for the new Fizzer P2P worm or not?? Let me know please.

Nobody answers so I do a first try. I get an additional warning fromsome CERTs but nobody send snort signatures so I checked f-secures homepage


http://www.f-secure.com/v-descs/fizzer.shtml

If I understand the description right then the following rule shoulddetect the worm:

alert tcp any any -> any any (msg:"Virus - Fizzer"; content:"Sparky willreign"; sid:999; classtype:misc-activity; rev:1;)

any any -> any any is problematical but my sparc has no problems withit. The other question is what Kazaa uses for transport. I think it'sudp. So I'm scanning udp too.

alert udp any any -> any any (msg:"Virus - Fizzer"; content:"Sparky willreign"; sid:999; classtype:misc-activity; rev:1;)

This is perhaps not the best way to scan for this virus but it works formy machine. We have no reports about infections with this worm and wedetect no such worms in our network. So I'm not sure about thecorrectness of the rule.

An optimization could be the usage of mailserver ports for tcp but allsnort rules in virus.rules only check pop3 and ignoring pop2, imap2 andimap3. This is the reason why the default ruleset for viruses don't workfor us (we are only using imap).


Best regards

Michael
--
-------------------------------------------------------------------
Michael Bell                   Email: michael.bell () cms hu-berlin de
ZE Computer- und Medienservice            Tel.: +49 (0)30-2093 2482
(Computing Centre)                        Fax:  +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin                   Email (private): michael.bell () web de
Germany                                       http://www.openca.org



-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Fizzer Worm Signature Ty Bodell (May 12)
- Re: Fizzer Worm Signature Michael Bell (May 13)
- <Possible follow-ups>
- Re: Fizzer Worm Signature Hudak, Tyler (May 13)