01-28-2002 08:06 AM - edited 03-08-2019 09:41 PM
Has anyone built a signature for the myparty worm yet? Also trying to see if an NBAR has been built.
(I 'should' be able to figure out the signature issue myself but don't know enough on the NBAR side)
Thanks -
H. Schupp
01-28-2002 04:10 PM
This signature will not make it in the IDS Signature Update as IDS is not primarily a virus detector.
Try the following Custom Signature
Current Signature: Engine STRING.TCP SIGID 20000
SigName: myparty virus
Parameters
1 - AlarmInterval =
2 - AlarmThrottle = FireOnce
3 - ChokeThreshold =
4 - Direction = ToService
5 - FlipAddr =
6 - MaxInspectLength =
7 - MinHits = 1
8 - MinMatchLength =
9 - MultipleHits =
10 * RegexString = [Ww][Ww][Ww][.][Mm][Yy][Pp][Aa][Rr][Tt][Yy][.][Yy][Aa][Hh][Oo][Oo][0-9]?[.][Cc][Oo][Mm]
11 - ResetAfterIdle = 15
12 - ServicePorts = 25
13 - SigComment =
14 - SigName = myparty Virus
15 - SigStringInfo = www.myparty.yahoo.Com
16 - StripTelnetOptions =
17 - ThrottleInterval = 15
18 - WantFrag =
d - Delete a value
u - UNDO and continue
x - SAVE and continue
01-29-2002 04:15 AM
Thanks for the assist. I was actually very close... Guess I'm finally learning!
Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: