[Snort-sigs] Re: Quick rule for Gone.A Worm

Dr SuSE drsuse at ...223...
Tue Dec 4 14:00:05 EST 2001


I came up with something close to this but to reduce the number of false 
postives I added dsize: > 1400

> Woops..  Add nocase; to that.  Should read:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "Virus - Gone.A Worm";
> content: "gone.scr"; content: "When I saw this screen saver"; nocase;
> flags: A+; rev:1;)
> 
> Sorry for the inconvenience.
> 
> -Sam
> 
> On Tue, 4 Dec 2001, Sam wrote:
> 
> > I've whipped up a quick rule to report any Gone.A infections.  Feel free
> > to use at your own risk. :)
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "Virus - Gone.A Worm";
> > content: "gone.scr"; content: "When I saw this screen saver"; rev:1;
> > flags: A+;)
> >
> > I left the destination port to any since the virus could potentially come
> > in via people sending the virus out via SMTP, people getting the virus via
> > Web Mail (port 80) and people getting the virus via POP or IMAP.
> >
> > -Sam
> >
> >
> >
> 
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 


What's the word?    Thunderbird.
How's it sold?      Good and cold.
What's the jive?    Bird's alive.
What's the price?   Thirty twice.


---------------------------------------------
Microsoft ist nicht installiert.
http://www.drsuse.org/






More information about the Snort-sigs mailing list