[Snort-sigs] SMTP Virus Signatures

Jeff Dell jdell at ...178...
Sat Nov 10 06:07:02 EST 2001


I took a few popular virus signatures and changed them from Pop3 to
SMTP. How do you feel about adding them in addition to the pop3 rules to
the virus signatures?

alert tcp any any -> any 25 (msg:"Virus - Possible scr Worm"; content:
"filename="; content: ".scr"; nocase; classtype:misc-activity; )
alert tcp any any -> any 25 (msg:"Virus - Possible shs Worm"; content:
"filename="; content: ".shs"; nocase; classtype:misc-activity; )
alert tcp any any -> any 25 (msg:"Virus - Possible vbs Worm"; content:
"filename="; content: ".vbs"; nocase; classtype:misc-activity; )

Also, can we standardize this rule:
alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm";
content:"filename=\"Suppl.doc\""; nocase; reference:MCAFEE,10361;
sid:752;  classtype:misc-activity; rev:4;)

All of the others have a msg's format like this...
alert tcp any 110 -> any any (msg:"Virus - Possible Suppl Worm";
content: "filename=\"Suppl.doc\""; nocase; reference:MCAFEE,10361;
sid:752;  classtype:misc-activity; rev:5;)

Thanks,
Jeff





More information about the Snort-sigs mailing list