Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
507
Views
0
Helpful
2
Replies

New Sig for myparty / NBAR Filter?

hschupp
Level 1
Level 1

‎01-28-2002 08:06 AM - edited ‎03-08-2019 09:41 PM

Has anyone built a signature for the myparty worm yet? Also trying to see if an NBAR has been built.

(I 'should' be able to figure out the signature issue myself but don't know enough on the NBAR side)

Thanks -

H. Schupp

Labels:
0 Helpful
2 Replies 2

rdhamank
Level 1
Level 1

‎01-28-2002 04:10 PM

This signature will not make it in the IDS Signature Update as IDS is not primarily a virus detector.

Try the following Custom Signature

Current Signature: Engine STRING.TCP SIGID 20000

SigName: myparty virus

Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - MaxInspectLength =

7 - MinHits = 1

8 - MinMatchLength =

9 - MultipleHits =

10 * RegexString = [Ww][Ww][Ww][.][Mm][Yy][Pp][Aa][Rr][Tt][Yy][.][Yy][Aa][Hh][Oo][Oo][0-9]?[.][Cc][Oo][Mm]

11 - ResetAfterIdle = 15

12 - ServicePorts = 25

13 - SigComment =

14 - SigName = myparty Virus

15 - SigStringInfo = www.myparty.yahoo.Com

16 - StripTelnetOptions =

17 - ThrottleInterval = 15

18 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

0 Helpful

hschupp
Level 1
Level 1
In response to rdhamank

‎01-29-2002 04:15 AM

Thanks for the assist. I was actually very close... Guess I'm finally learning!

Thanks again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents