08-29-2005 05:02 AM - edited 03-10-2019 01:36 AM
According to the signature 3136.3, The regular expression that looks for netsky.p is
\x68\x43\x7a\x65\x31\x57\x6c\x66\x57\x77\x69\x55\x33\x55\x43\x58\x59\x7a\x72\x79\x50\x6e\x4a\x45\x68\x38\x6f\x72\x0d\x0a\x4f\x31
When this translated to ASCII it is
hCze1WlfWwiU3UCXYzryPnJEh8orO1
Is there an internet reference for the use of this string to capture Netsky.p.
How can I trust that the signature events are not false positive?
Solved! Go to Solution.
08-30-2005 10:06 AM
Darin,
In general a 32-byte section of particulary high entropy is looked for. The high entropy reduces (but obviously doesn't eliminate) the chance of a false positive.
08-29-2005 06:19 AM
Hi Darin,
I'm afraid I'm not aware of any internet reference for the use of this string.
Our "virus signatures" such as this one are based on virus sample we receive from our partner Trend Micro.
If you feel this signature could trigger false positive, please provide some additional details.
Thanks,
JF
08-29-2005 10:02 AM
Darin,
Keep in mind that we are evaulating the binary network data, so a binary string is not unreasonable. I don't think you should expect to be able to "parse" the string in every case.
Scott
08-30-2005 01:39 AM
Hi Scott,
Thank you for you reply,
I know that we are evaluating binary data but I was perhaps just looking for some substantial evidence that would enhance my evaluation of the signature.
When writing about an attack, one of the sections requires that you normally explain the signature. Motivating for more stringent security checking in our products and solutions with regard to network security is often a difficult task. This task is made easier with proper explanations for how these checks are made and I was wondering about the choice of regular expression in this signature.
What makes or excludes the signature from triggering falsely?
Why that choice of string to look for in the network data?
08-30-2005 10:06 AM
Darin,
In general a 32-byte section of particulary high entropy is looked for. The high entropy reduces (but obviously doesn't eliminate) the chance of a false positive.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide