[Snort-sigs] Fw: virus rules

Jeff Dell jdell at ...178...
Sat Nov 10 05:12:02 EST 2001


Lucian,

Most of the virus rules are only looking at port 110. This it pretty
limited if you are not allowing pop3. For us, we don't allow pop3 at all
from the internet, so these rules are useless. One thing that you can do
is add/change all of the rules from:

alert tcp any 110 -> any any

to:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25
This will pick up all virus rules going into your business via SMTP 

Or:

alert tcp any any -> any 25
This will pick up all virus rules going in or out of your business via
SMTP

I hope this helps
Jeff


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Lucian
Vanghele
Sent: Friday, November 09, 2001 4:17 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Fw: virus rules




hi there
I have some probls with a virus js.exception.exploit (which is supposes
to send mass mails all over the world) and I want to add a rule for
outgoing mails 
all rules are for incoming mails and very few for outgoing.... (it is
important to know if from your server some undedected virus spread its
s**t)
for example how can I change this rule
alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming";
content:"Suddlently"; sid:720; rev:1;)
to check if that virus go out from my server
 ( alert tcp any any -> any 25 (msg:"Virus - SnowWhite Trojan Incoming";
content:"Suddlently"; sid:720; rev:1;) I think so but not sure...)


thanx

Lucian Vanghele,





More information about the Snort-sigs mailing list