[Snort-sigs] Re: Quick rule for Gone.A Worm
drsuse at ...223...
Tue Dec 4 14:00:05 EST 2001
I came up with something close to this but to reduce the number of false
postives I added dsize: > 1400
> Woops.. Add nocase; to that. Should read:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "Virus - Gone.A Worm";
> content: "gone.scr"; content: "When I saw this screen saver"; nocase;
> flags: A+; rev:1;)
> Sorry for the inconvenience.
> On Tue, 4 Dec 2001, Sam wrote:
> > I've whipped up a quick rule to report any Gone.A infections. Feel free
> > to use at your own risk. :)
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "Virus - Gone.A Worm";
> > content: "gone.scr"; content: "When I saw this screen saver"; rev:1;
> > flags: A+;)
> > I left the destination port to any since the virus could potentially come
> > in via people sending the virus out via SMTP, people getting the virus via
> > Web Mail (port 80) and people getting the virus via POP or IMAP.
> > -Sam
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
What's the word? Thunderbird.
How's it sold? Good and cold.
What's the jive? Bird's alive.
What's the price? Thirty twice.
Microsoft ist nicht installiert.
More information about the Snort-sigs