#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007634; classtype:trojan-activity; sid:2007634; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Added 2018-09-13 19:39:18 UTC
Added 2018-09-13 17:53:33 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007634; classtype:trojan-activity; sid:2007634; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Added 2017-08-07 21:00:54 UTC
##alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007634; classtype:trojan-activity; sid:2007634; rev:4;) Added 2014-09-02 19:50:42 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007634; classtype:trojan-activity; sid:2007634; rev:3;) Added 2011-10-12 19:23:29 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007634; sid:2007634; rev:3;) Added 2011-09-14 22:37:03 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007634; rev:3;) Added 2011-02-04 17:26:45 UTC From Michael Lubinski: I do believe I have found an FP for sid 2007634. Its triggering always on destination port 27015 with a payload of length = 25 000 : FF FF FF FF 54 53 6F 75 72 63 65 20 45 6E 67 69 ....TSource Engi 010 : 6E 65 20 51 75 65 72 79 00 ne Query. There is a half life server running on the snort'd network which is causing this alert. I'm just going to threshold it out via destination IP because this is a pretty specialized case and I wouldn't imagine others would have the same issue. -- MattJonkman - 01 Jul 2011
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007634; rev:3;) Added 2009-02-13 19:47:25 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007634; rev:3;) Added 2009-02-13 19:47:25 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007634; rev:3;) Added 2009-02-13 19:46:38 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007634; rev:3;) Added 2009-02-13 19:46:38 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007634; rev:3;) Added 2009-02-13 19:45:23 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007634; rev:3;) Added 2009-02-13 19:45:23 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; sid:2007634; rev:2;) Added 2008-02-25 10:04:01 UTC
#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; sid:2007634; rev:2;) Added 2008-02-25 10:04:01 UTC
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; sid:2007634; rev:2;) Added 2008-01-31 10:12:24 UTC Disabled by default, these tend to FP on Skype and some online games (Call of Duty, etc). If you do not run these types of apps this sig is relatively reliable. However 2007701 and 2007702 are more reliable in any environment. -- MattJonkman - 25 Feb 2008
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; sid:2007634; rev:2;) Added 2008-01-31 10:12:24 UTC
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; sid:2007634; rev:1;) Added 2007-10-15 11:55:08 UTC StormWorm related -- MattJonkman - 15 Oct 2007
Topic revision: r4 - 2011-07-01 - MattJonkman
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats