[Snort-sigs] Re: Quick rule for Gone.A Worm

Sam sam at ...219...
Tue Dec 4 13:28:03 EST 2001


Woops..  Add nocase; to that.  Should read:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "Virus - Gone.A Worm";
content: "gone.scr"; content: "When I saw this screen saver"; nocase;
flags: A+; rev:1;)

Sorry for the inconvenience.

-Sam

On Tue, 4 Dec 2001, Sam wrote:

> I've whipped up a quick rule to report any Gone.A infections.  Feel free
> to use at your own risk. :)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "Virus - Gone.A Worm";
> content: "gone.scr"; content: "When I saw this screen saver"; rev:1;
> flags: A+;)
>
> I left the destination port to any since the virus could potentially come
> in via people sending the virus out via SMTP, people getting the virus via
> Web Mail (port 80) and people getting the virus via POP or IMAP.
>
> -Sam
>
>
>





More information about the Snort-sigs mailing list