Sniff'em™ Filter Database
Sniff'em™ is versatile. period Sniff'em's extensive and flexible filter rules make it possible to catch virtually any bit of a Internet Packet you like, following is a small list of premade Filter sets which might come in handy for the general public, please note that Sniff'em™ is not an Antivirus product per se, it can be configured however to act as a basic Network Intrusion Detection Device.
Premade Filterset database
Worms.sef [Download]
Sniff'em™ is versatile. period Sniff'em's extensive and flexible filter rules
make it possible to catch virtually any bit of a Internet Packet you like,
following is a small list of premade Filter sets which might come in handy
for the general public, please note that Sniff'em™ is not an Antivirus product
per se, it can be configured however to act as a basic Network Intrusion
Detection Device.
It currently is able to detect :
•Badtrans (POP3, SMTP) Generic Badtrans detection by using a fingerprint of the way it uses the IFRAME vulnerability to exploit Outlook into executing it's code without User intervention. Sniff'em™ will detect Badtrans in Emails coming from a POP3 service aswell being send out using SMTP, this way it will catch Badtrans spreading itself too.
•Hybris (POP3, SMTP) Generic Hybris detection using the static FROM field it generates, although this could result in false positives, the probability is negligible though. Sniff'em™ will detect Hybris infected Emails coming from a POP3 service aswell being send out using SMTP, this way it will catch a Hybris variant spreading.
•Nimda (HTTP) Generic Nimda detection for both possibilities, either an infected host is scanning you or you are scanning the infected host. We intentionally left out the open.window "readme.eml".. detection fingerprint to optimize the filterset
•Code Red Version 1(I) and 2 (II) (HTTP) It will detect attempted access to the backdoor Code Red version 2 dropped to the IIS server (root.exe) aswell as a generic Fingerprint of the scanning procedure. It will detect both your host scanning others and you being scanned by others.
Structure of an Sniff'em filter file
A .sef (Sniff'em Filter) file is not a obscure proprietary format which we used to hide our Filterset rules, it can be easily opened and modified using an simple text editor like notepad.exe for instance. Following is a snippet out of the worms.sef file.
|
{Email Worms}
(
Enabled: 1;
HighLevel: "#0800*";
LowLevel: "*6*";
PORTSRC[0]: "*";
PORTDEST[0]: "25";
PORTSRC[1]: "110";
PORTDEST[1]: "*";
ASCII[0]: "iframe src=3Dcid:EA4DMGBP9p";
ASCII[1]: "Hahaha hahaha@sexyfun.net";
HighLevel.EX: 0;
LowLevel.EX: 0;
IP.EX: 1;
PORT.EX: 0;
MAC.EX: 0;
ADV.EX: 0;
ASCII.EX: 0;
)
|
| {EmailWorms} | is the name of the Filter. |
| Enabled | is set to 1 which means this filter is currently enabled. |
| Highlevel | is set to inclusively capture only 0800 (IP) packets. |
| LowLevel | is set to only capture TCP traffic. |
| PortSrc [0] | is a wildcard which means that the Source IP can be everything. |
| PortDest[0] | is 25 which is SMTP traffic. |
| -Result | *<->25, i.e any traffic TO port 25 which is IP,TCP is considered. |
| PortSrc [1] | is 110 which equals POP3 traffic. |
| PortDest[1] | is a wildcard, the Destination IP can be any address. |
| -Result | 110<->*,any traffic FROM port 110 which is IP,TCP is considered |
| Ascii [0] | is "iframe src=3Dcid:EA4DMGBP9p" |
| -Result | *<->25, i.e any traffic TO port 25 which is IP,TCP and has ASCII data "iframe src=3Dcid:EA4DMGBP9p" is now captured. |
| ASCII [1] | is "Hahaha hahaha@sexyfun.net" |
| -Result | 110<->*,any traffic FROM port 110 which is IP,TCP and has ASCII data "Hahaha hahaha@sexyfun.net" is now captured. |
Note that you might break the filter while playing with it, always take care to create backups and use the Filter dialog to create the roots of the Filters (HighLevel, Low-level) and then go on and add the data you want to it using an simple texteditor.
 |
 |
|||||
|
||||||
 |
