EditAttachPrintable
r3 - 25 Feb 2008 - 15:02:28 - MattJonkmanYou are here: TWiki >  Main Web > 2007637

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; classtype:trojan-activity; sid:2007637; rev:2;)

Added 2008-02-25 10:04:01 UTC

 

#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; classtype:trojan-activity; sid:2007637; rev:2;)

Added 2008-02-25 10:04:01 UTC

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; classtype:trojan-activity; sid:2007637; rev:2;)

Added 2008-01-31 10:12:24 UTC

Disabled by default, these tend to FP on Skype and some online games (Call of Duty, etc).

If you do not run these types of apps this sig is relatively reliable. However 2007701 and 2007702 are more reliable in any environment.

-- MattJonkman - 25 Feb 2008

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; classtype:trojan-activity; sid:2007637; rev:2;)

Added 2008-01-31 10:12:24 UTC

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic Outbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; classtype:trojan-activity; sid:2007637; rev:1;)

Added 2007-10-15 11:55:08 UTC

StormWorm related

-- MattJonkman - 15 Oct 2007

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r3 < r2 < r1 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback