[Snort-sigs] Quick rule for Gone.A Worm

Sam sam at ...219...
Tue Dec 4 13:25:17 EST 2001


I've whipped up a quick rule to report any Gone.A infections.  Feel free
to use at your own risk. :)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "Virus - Gone.A Worm";
content: "gone.scr"; content: "When I saw this screen saver"; rev:1;
flags: A+;)

I left the destination port to any since the virus could potentially come
in via people sending the virus out via SMTP, people getting the virus via
Web Mail (port 80) and people getting the virus via POP or IMAP.

-Sam






More information about the Snort-sigs mailing list