Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
699
Views
6
Helpful
4
Replies

netsky.p signature

Go to solution
darin.marais
Level 4
Level 4

‎08-29-2005 05:02 AM - edited ‎03-10-2019 01:36 AM

According to the signature 3136.3, The regular expression that looks for netsky.p is

\x68\x43\x7a\x65\x31\x57\x6c\x66\x57\x77\x69\x55\x33\x55\x43\x58\x59\x7a\x72\x79\x50\x6e\x4a\x45\x68\x38\x6f\x72\x0d\x0a\x4f\x31

When this translated to ASCII it is

hCze1WlfWwiU3UCXYzryPnJEh8orO1

Is there an internet reference for the use of this string to capture Netsky.p.

How can I trust that the signature events are not false positive?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
scothrel
Level 3
Level 3
In response to darin.marais

‎08-30-2005 10:06 AM

Darin,

In general a 32-byte section of particulary high entropy is looked for. The high entropy reduces (but obviously doesn't eliminate) the chance of a false positive.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jdal
Cisco Employee
Cisco Employee

‎08-29-2005 06:19 AM

Hi Darin,

I'm afraid I'm not aware of any internet reference for the use of this string.

Our "virus signatures" such as this one are based on virus sample we receive from our partner Trend Micro.

If you feel this signature could trigger false positive, please provide some additional details.

Thanks,

JF

Go to solution
scothrel
Level 3
Level 3

‎08-29-2005 10:02 AM

Darin,

Keep in mind that we are evaulating the binary network data, so a binary string is not unreasonable. I don't think you should expect to be able to "parse" the string in every case.

Scott

0 Helpful

Go to solution
darin.marais
Level 4
Level 4
In response to scothrel

‎08-30-2005 01:39 AM

Hi Scott,

Thank you for you reply,

I know that we are evaluating binary data but I was perhaps just looking for some substantial evidence that would enhance my evaluation of the signature.

When writing about an attack, one of the sections requires that you normally explain the signature. Motivating for more stringent security checking in our products and solutions with regard to network security is often a difficult task. This task is made easier with proper explanations for how these checks are made and I was wondering about the choice of regular expression in this signature.

What makes or excludes the signature from triggering falsely?

Why that choice of string to look for in the network data?

Go to solution
scothrel
Level 3
Level 3
In response to darin.marais

‎08-30-2005 10:06 AM

Darin,

In general a 32-byte section of particulary high entropy is looked for. The high entropy reduces (but obviously doesn't eliminate) the chance of a false positive.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card