[Emerging-Sigs] Stream 5 UDP flow for Storm Worm Signatures?

Matt Jonkman jonkman at jonkmans.com
Sun Jan 6 20:23:58 EST 2008 

I think this is an excellent way to go after these sigs. It is annoying
to get so many storm hits, but a necessity. This approach would help.

The snag is that this would be our first real non-backward compatible
sigs. We really need to go there of course, but it's a big change.

By show of hands, how many folks are using pre-stream5 with udp support?

Matt

Jeremy wrote:
> Good Afternoon:
> 
> I was experimenting with stream 5 flow for UDP session tracking
> (stream5_udp) and thought this might be a good solution for all the
> false positives the current Storm Worm signatures generate
> specifically sid:2007634 and sid:2007635.  So I came up with these
> modified the rules to look like this:
> 
> ##################################################################################
> alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
> (msg:"TROJAN Storm Worm Encrypted Traffic Outbound - set flowbit
> noalert"; flow:established,from_client; flowbits:set,storm.out;
> flowbits:noalert; dsize:25; threshold: type both, count 40, seconds
> 60, track by_src; classtype:trojan-activity; sid:1; rev:1;)
> 
> alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535
> (msg:"TROJAN Storm Worm Encrypted Traffic Full connection
> established"; flow:established,to_server; flowbits:isset,storm.out;
> flowbits:unset,storm.out; dsize:2; threshold: type both, count 10,
> seconds 60,track by_dst; classtype:trojan-activity; sid:2; rev:1;)
> #####################################################################################
> 
> This seems to work fairly well on my pcaps of the storm worm, but
> wanted to see if any of you all see anything wrong with this...  I
> have the threshold set to "both" but it could be set to "threshold"
> just like sid:2007634 and sid:2007635, your preference.  I prefer less
> alerts for the same IPs.  Do you think this would cut down on the
> false positives as I have noticed most of the false positives is one
> rule triggering and the other not triggering.  Using flowbits we get
> rid of that scenario all together.
> 
> Your comments welcomed and appreciated.
> 
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Fax 61-29-4750-026
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list