[Emerging-Sigs] Stream 5 UDP flow for Storm Worm Signatures?

Jeremy cjeremy at gmail.com
Sun Jan 6 18:34:57 EST 2008 

Good Afternoon:

I was experimenting with stream 5 flow for UDP session tracking
(stream5_udp) and thought this might be a good solution for all the
false positives the current Storm Worm signatures generate
specifically sid:2007634 and sid:2007635.  So I came up with these
modified the rules to look like this:

##################################################################################
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:"TROJAN Storm Worm Encrypted Traffic Outbound - set flowbit
noalert"; flow:established,from_client; flowbits:set,storm.out;
flowbits:noalert; dsize:25; threshold: type both, count 40, seconds
60, track by_src; classtype:trojan-activity; sid:1; rev:1;)

alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535
(msg:"TROJAN Storm Worm Encrypted Traffic Full connection
established"; flow:established,to_server; flowbits:isset,storm.out;
flowbits:unset,storm.out; dsize:2; threshold: type both, count 10,
seconds 60,track by_dst; classtype:trojan-activity; sid:2; rev:1;)
#####################################################################################

This seems to work fairly well on my pcaps of the storm worm, but
wanted to see if any of you all see anything wrong with this...  I
have the threshold set to "both" but it could be set to "threshold"
just like sid:2007634 and sid:2007635, your preference.  I prefer less
alerts for the same IPs.  Do you think this would cut down on the
false positives as I have noticed most of the false positives is one
rule triggering and the other not triggering.  Using flowbits we get
rid of that scenario all together.

Your comments welcomed and appreciated.


-- 
/jeremy

With yet another email virus spreading across the globe, 41 US states
and six European countries today announced that the act of creating an
attachment-based computer virus will now be considered a hate crime
because it intentionally targets stupid people. Like any other segment
of the population, people of stupidity need protection from bias.
(SatireWire)

More information about the Emerging-sigs mailing list