06-05-2003 09:54 PM - edited 03-09-2019 03:34 AM
Based on the article by symantec we wrote a sig for the new variant of the bug bear virus/worm. But I haven't gotten any hits as of yet. Has anyone else written something for this?
Here is the article:
<<A HREF="javascript:newWin('http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html')">http://securityresponse.symantec.com/avcenter/venc/data/w32.bugbear.b@mm.html</A></a></a>>
Here is the Sig we wrote for the IDS but I have gotten 0 hits on thus far.
Engine STRING.TCP SIGID 20016 AlarmThrottle FireOnce Direction ToService MinHits 1 RegexString [Cc][Ww][Ee][Gg][[Aa][Aa]][Aa][Aa][Gg][Aa][Qq][Aa][Aa][Ee][Aa][Aa
][Aa][Aa][Oo][Aa][Gg][Aa][Cc][Aa][Bb][Cc][Aa][Aa][Aa]8[Aa][Yy][Aa][Aa][Bb][Aa][I
i][Aa][Aa][Aa][Aa][Qq][Aa][Aa][Aa][Ee][Aa][Aa][Aa][Aa][Aa][Ii][Aa][Aa][Aa][Qq][A
a][Aa][Aa][Aa][Aa] ResetAfterIdle 15 ServicePorts 25 ThrottleInterval 15 SigName BugBear B SMTP Worm Propagation
This is the snort sig that we used to make the CSIDS sig:
alert tcp any any -> any 25 (msg:"BugBear B SMTP Worm Propagation"; content:"CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA";)
06-06-2003 06:09 AM
Hi Geoff,
The regex should be something like this;
a content of "2A FA 6D....
should be written as
\x2a\xfa\x6d.... (no spaces)
Thanks,
Yatin
06-06-2003 02:40 PM
I thought the \x was used when indicating Hex strings. Is that incorrect?
We changed the string to be exactly what we saw in the snort sig and have been getting hits. But now I am REALLY not sure if we are doing this correclty :)
thanks,
Geoff
Engine STRING.TCP SIGID 20016 AlarmThrottle FireOnce Direction ToService MinHits
1 RegexString CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA Rese
tAfterIdle 15 ServicePorts 25 ThrottleInterval 15 SigName BugBear B SMTP Worm Pr
opagation
06-09-2003 06:56 AM
This is correct. This Snort signature is looking for a string match of the MIME-encoded virus. It's not looking for raw hexidecimal values. Your custom signature "should" detect the virus as an email attachment, assuming the person who submitted the signature knew what they were doing. No guarantees. Double check the Snort pattern match with your custom signature regex to be sure.
06-09-2003 01:55 PM
I have a follow up question. I'm a little new to the IDS MC. Would you add a custom string under settings =>signatures => string match=> add? Would I paste the line "Engine STRING.TCP SIGID 20016 AlarmThrottle FireOnce Direction ToService MinHits 1 RegexString CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA ResetAfterIdle 15 ServicePorts 25 ThrottleInterval 15 SigName BugBear B SMTP Worm Propagation" into the string box? Do I have to set the port to 139? If I were being attacked would I see it in the event viewer? Can i pull a report for this custom signature so I can see who is attacking?
06-06-2003 06:58 AM
-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide