https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834540#M85641 <HTML><HEAD></HEAD><BODY><P>This signature is designed to detect the botnet behavior of an infected machine. Some possible options are to exclude your DNS servers as a source or destination, or you could modify the ports to ignore 53 (1-51,54-65535).</P></BODY></HTML> Thu, 27 Sep 2007 13:38:05 GMT mhellman 2007-09-27T13:38:05Z https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834539#M85640 <P>The signature generates false positives on DNS traffic.</P><P>An example is a DNS query with an Transaction ID: 0xE30F</P><P></P><P>At networks with a lot of DNS traffic the signature will produces 30+ alarms per day.</P> Sun, 10 Mar 2019 10:48:43 GMT https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834539#M85640 m-hansson 2019-03-10T10:48:43Z https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834540#M85641 <HTML><HEAD></HEAD><BODY><P>This signature is designed to detect the botnet behavior of an infected machine. Some possible options are to exclude your DNS servers as a source or destination, or you could modify the ports to ignore 53 (1-51,54-65535).</P></BODY></HTML> Thu, 27 Sep 2007 13:38:05 GMT https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834540#M85641 mhellman 2007-09-27T13:38:05Z https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834541#M85642 <HTML><HEAD></HEAD><BODY><P>Is it just me or lately the quality the signatures out of the box is less than satisfactory?</P><P></P></BODY></HTML> Wed, 03 Oct 2007 15:31:25 GMT https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834541#M85642 apolkosnik 2007-10-03T15:31:25Z https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834542#M85643 <HTML><HEAD></HEAD><BODY><P>How about modifying the signature so it wont look at the transaction ID for DNS traffic? - A lot better than having everyone with a Cisco IDS/IPS sensor to add filters or change the ports.</P><P></P><P>Yes I agree, signature quality is sometimes really poor. This is a good example.</P></BODY></HTML> Thu, 04 Oct 2007 09:54:23 GMT https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834542#M85643 m-hansson 2007-10-04T09:54:23Z https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834543#M85644 <HTML><HEAD></HEAD><BODY><P>Most people just don't want to be bothered with tweaking. If it's too noisy, it gets disabled.</P></BODY></HTML> Thu, 04 Oct 2007 12:29:12 GMT https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834543#M85644 apolkosnik 2007-10-04T12:29:12Z https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834544#M85645 <HTML><HEAD></HEAD><BODY><P>You might consider having generic filters for your DNS servers anyway. It is not uncommon for traffic to/from them to trigger a variety of signatures. Trying to create a regex that matches one thing but not another is sometimes very difficult. In our own environment, the botnet behavior would likely be very noticeable for other reasons, so the signature may not be the useful anyway.</P></BODY></HTML> Thu, 04 Oct 2007 13:21:19 GMT https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834544#M85645 mhellman 2007-10-04T13:21:19Z https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834545#M85646 <HTML><HEAD></HEAD><BODY><P>Ehh? So just because there already are a lot of bad quality signatures we should accept more?</P><P></P><P>I guess the current engines can't handle this type of advanced signatures and that's too bad. Several competitors are making way more advanced signatures.</P></BODY></HTML> Thu, 25 Oct 2007 13:50:02 GMT https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834545#M85646 m-hansson 2007-10-25T13:50:02Z https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834546#M85647 <HTML><HEAD></HEAD><BODY><P>No, you shouldn't, especially if you believe there is greener pasture available;-) You could open a ticket with Cisco to fix if you think it's possible to create a "tighter" signature. Until then, I would suggest filtering.</P></BODY></HTML> Mon, 29 Oct 2007 13:37:18 GMT https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834546#M85647 mhellman 2007-10-29T13:37:18Z https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834547#M85648 <HTML><HEAD></HEAD><BODY><P>I actually posted this before I saw this.</P><P></P><P><A class="jive-link-custom" href="http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=General&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe5171" target="_blank">http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&amp;forum=Security&amp;topic=General&amp;CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe5171</A></P><P></P><P></P><P>I'm seeing this fire falsely for an entirely different reason, for nginx servers.</P><P></P><P>Has anyone successfully tightened up this signature? If so, can you let me know how?</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 29 Oct 2007 19:37:55 GMT https://community.cisco.com/t5/network-security/5894-1-storm-worm/m-p/834547#M85648 nykoelle01 2007-10-29T19:37:55Z