##alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007636; classtype:trojan-activity; sid:2007636; rev:4;)

Added 2014-09-02 19:50:42 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007636; classtype:trojan-activity; sid:2007636; rev:3;)

Added 2011-10-12 19:23:29 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007636; sid:2007636; rev:3;)

Added 2011-09-14 22:37:03 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007636; rev:3;)

Added 2011-02-04 17:26:45 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007636; rev:3;)

Added 2009-02-13 19:47:25 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007636; rev:3;)

Added 2009-02-13 19:47:25 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007636; rev:3;)

Added 2009-02-13 19:46:38 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007636; rev:3;)

Added 2009-02-13 19:46:38 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007636; rev:3;)

Added 2009-02-13 19:45:23 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Storm; sid:2007636; rev:3;)

Added 2009-02-13 19:45:23 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; sid:2007636; rev:2;)

Added 2008-01-31 10:12:24 UTC

Disabled by default, these tend to FP on Skype and some online games (Call of Duty, etc).

If you do not run these types of apps this sig is relatively reliable. However 2007701 and 2007702 are more reliable in any environment.

-- MattJonkman - 25 Feb 2008


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; sid:2007636; rev:2;)

Added 2008-01-31 10:12:24 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; sid:2007636; rev:1;)

Added 2007-10-25 02:32:18 UTC


#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; sid:2007636; rev:1;)

Added 2007-10-25 02:32:18 UTC


alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; sid:2007636; rev:1;)

Added 2007-10-15 11:55:08 UTC

StormWorm related

-- MattJonkman - 15 Oct 2007


Topic revision: r3 - 2008-02-25 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats