Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
0
Helpful
1
Replies

Storm Worm False Positives - How can I really detect it?

nykoelle01
Level 1
Level 1

‎10-29-2007 12:34 PM - edited ‎03-09-2019 07:08 PM

I'm running a small army of IPS sensors in our network, and since upgrading the sensors and MARS today, I've seen huge numbers of signature 5894, the Storm Worm signature. Now, the signature specifies that it can fire for any nginx server, and I speculate that that's what is happening (it's fired for yahoo sites, etc).

So, is there any way I can more finely tune this, or is there other traffic that would be present in the case that a workstation was truly infected? Our users have shown a concern about this Storm Worm and I need to be prepared.

Thanks.

Labels:
0 Helpful
1 Reply 1

mhellman
Level 7
Level 7

‎10-30-2007 06:47 AM

Take a look here for a pretty good analysis of the worm:

http://www.cyber-ta.org/pubs/StormWorm/

Storm is constantly evolving, so YMMV. Based on the paper, the 5894-1 signature should detect infected machines. 5894-0 is not so good and will generate all sorts of false positives on a network with a reasonable amount of user web browsing traffic.

0 Helpful
Customers Also Viewed These Support Documents