5894:1 Storm Worm

Unanswered Question
Sep 27th, 2007

The signature generates false positives on DNS traffic.

An example is a DNS query with an Transaction ID: 0xE30F

At networks with a lot of DNS traffic the signature will produces 30+ alarms per day.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mhellman Thu, 09/27/2007 - 06:38

This signature is designed to detect the botnet behavior of an infected machine. Some possible options are to exclude your DNS servers as a source or destination, or you could modify the ports to ignore 53 (1-51,54-65535).

apolkosnik Wed, 10/03/2007 - 08:31

Is it just me or lately the quality the signatures out of the box is less than satisfactory?

m-hansson Thu, 10/04/2007 - 02:54

How about modifying the signature so it wont look at the transaction ID for DNS traffic? - A lot better than having everyone with a Cisco IDS/IPS sensor to add filters or change the ports.

Yes I agree, signature quality is sometimes really poor. This is a good example.

apolkosnik Thu, 10/04/2007 - 05:29

Most people just don't want to be bothered with tweaking. If it's too noisy, it gets disabled.

mhellman Thu, 10/04/2007 - 06:21

You might consider having generic filters for your DNS servers anyway. It is not uncommon for traffic to/from them to trigger a variety of signatures. Trying to create a regex that matches one thing but not another is sometimes very difficult. In our own environment, the botnet behavior would likely be very noticeable for other reasons, so the signature may not be the useful anyway.

m-hansson Thu, 10/25/2007 - 06:50

Ehh? So just because there already are a lot of bad quality signatures we should accept more?

I guess the current engines can't handle this type of advanced signatures and that's too bad. Several competitors are making way more advanced signatures.

mhellman Mon, 10/29/2007 - 06:37

No, you shouldn't, especially if you believe there is greener pasture available;-) You could open a ticket with Cisco to fix if you think it's possible to create a "tighter" signature. Until then, I would suggest filtering.


This Discussion