I've gotten over 3000 hits from 2 sensors in 6 hours. I wish you guys would use a larger testbed network for these sigs.

Walter, are you going to use a sig similar to this?

uri-regex: http\x3a\x2f\x2f[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}[/][?][0-9a-f]{16}

header-regex: [Hh][Oo][Ss][Tt]\x3a\x20[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}\x2e[0-9]{1,3}

Has anyone tried the new signature update S299 with the updated Storm Worm sig? Is it working better than S298?

Even with S299, I got false positives from NB traffic on port 137 thrown by SigID:5894/1. It appears that NBNS chatter doesn't sit well with this signature.

For instance: one of the false positives triggered on Transaction ID from the NetBios Name Service packet. It seems that the regex is pretty weak (being only two bytes).

The 2 byte regex, while being *very* short, is really the only thing consistent about that p2p traffic. Anything much more into the packet doesn't get you anything better.

The one thing that you might want to do is raise the event count from 50 to say 75. So far, I haven't seen those alerts fire (5894-1) or anyone else say anything about it yet, but its possible that that threshold might not be high enough for you.

Wait a sec, it can use any arbitrary udp port even on non-windows boxes?

Just got a couple of false positives from a dns server. Again, it triggered on Transaction ID.

quite possibly. from what i saw, it's pretty port agile once it starts, and while i did not see that it hit low ports, i don't think that it would be any sort of a far stretch to say that it wouldn't.