Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Storm Worm False Positives - How can I really detect it?

I'm running a small army of IPS sensors in our network, and since upgrading the sensors and MARS today, I've seen huge numbers of signature 5894, the Storm Worm signature. Now, the signature specifies that it can fire for any nginx server, and I speculate that that's what is happening (it's fired for yahoo sites, etc).

So, is there any way I can more finely tune this, or is there other traffic that would be present in the case that a workstation was truly infected? Our users have shown a concern about this Storm Worm and I need to be prepared.

Thanks.

1 REPLY
Gold

Re: Storm Worm False Positives - How can I really detect it?

Take a look here for a pretty good analysis of the worm:

http://www.cyber-ta.org/pubs/StormWorm/

Storm is constantly evolving, so YMMV. Based on the paper, the 5894-1 signature should detect infected machines. 5894-0 is not so good and will generate all sorts of false positives on a network with a reasonable amount of user web browsing traffic.

104
Views
0
Helpful
1
Replies
CreatePlease to create content