Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
5
Replies

New Bug Bear signature help

gpoer
Level 1
Level 1

‎06-05-2003 09:54 PM - edited ‎03-09-2019 03:34 AM

Based on the article by symantec we wrote a sig for the new variant of the bug bear virus/worm. But I haven't gotten any hits as of yet. Has anyone else written something for this?

Here is the article:

<<A HREF="javascript:newWin('http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html')">http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html</A></a></a>>

Here is the Sig we wrote for the IDS but I have gotten 0 hits on thus far.

Engine STRING.TCP SIGID 20016 AlarmThrottle FireOnce Direction ToService MinHits 1 RegexString [Cc][Ww][Ee][Gg][[Aa][Aa]][Aa][Aa][Gg][Aa][Qq][Aa][Aa][Ee][Aa][Aa

][Aa][Aa][Oo][Aa][Gg][Aa][Cc][Aa][Bb][Cc][Aa][Aa][Aa]8[Aa][Yy][Aa][Aa][Bb][Aa][I

i][Aa][Aa][Aa][Aa][Qq][Aa][Aa][Aa][Ee][Aa][Aa][Aa][Aa][Aa][Ii][Aa][Aa][Aa][Qq][A

a][Aa][Aa][Aa][Aa] ResetAfterIdle 15 ServicePorts 25 ThrottleInterval 15 SigName BugBear B SMTP Worm Propagation

This is the snort sig that we used to make the CSIDS sig:

alert tcp any any -> any 25 (msg:"BugBear B SMTP Worm Propagation"; content:"CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA";)

Labels:
0 Helpful
5 Replies 5

ywadhavk
Cisco Employee
Cisco Employee

‎06-06-2003 06:09 AM

Hi Geoff,

The regex should be something like this;

a content of "2A FA 6D....

should be written as

\x2a\xfa\x6d.... (no spaces)

Thanks,

Yatin

0 Helpful

gpoer
Level 1
Level 1
In response to ywadhavk

‎06-06-2003 02:40 PM

I thought the \x was used when indicating Hex strings. Is that incorrect?

We changed the string to be exactly what we saw in the snort sig and have been getting hits. But now I am REALLY not sure if we are doing this correclty :)

thanks,

Geoff

Engine STRING.TCP SIGID 20016 AlarmThrottle FireOnce Direction ToService MinHits

1 RegexString CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA Rese

tAfterIdle 15 ServicePorts 25 ThrottleInterval 15 SigName BugBear B SMTP Worm Pr

opagation

0 Helpful

mcerha
Level 3
Level 3
In response to gpoer

‎06-09-2003 06:56 AM

This is correct. This Snort signature is looking for a string match of the MIME-encoded virus. It's not looking for raw hexidecimal values. Your custom signature "should" detect the virus as an email attachment, assuming the person who submitted the signature knew what they were doing. No guarantees. Double check the Snort pattern match with your custom signature regex to be sure.

0 Helpful

jpina
Level 1
Level 1
In response to mcerha

‎06-09-2003 01:55 PM

I have a follow up question. I'm a little new to the IDS MC. Would you add a custom string under settings =>signatures => string match=> add? Would I paste the line "Engine STRING.TCP SIGID 20016 AlarmThrottle FireOnce Direction ToService MinHits 1 RegexString CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA ResetAfterIdle 15 ServicePorts 25 ThrottleInterval 15 SigName BugBear B SMTP Worm Propagation" into the string box? Do I have to set the port to 139? If I were being attacked would I see it in the event viewer? Can i pull a report for this custom signature so I can see who is attacking?

0 Helpful

jpalani
Level 1
Level 1

‎06-06-2003 06:58 AM

-

0 Helpful
Customers Also Viewed These Support Documents