[Snort-sigs] Fw: virus rules

Michael Scheidell scheidell at ...183...
Sat Nov 10 07:24:01 EST 2001


> to check if that virus go out from my server

that should check incoming AND outgoing.

question about rules and sigs:
would this optimize things or not?
(doesn't this only check if src port > 1023?)
(would this save ANY cpu cycles?

what about pop3? this doesn't check lusers reading pop3 mail or webmail.
don't you need to add or remove the 'sid' when duping rules to prevent
automated dup removers.

alert tcp any 1023: -> any 25 (msg:"Virus - SnowWhite Trojan Incoming"; \
 content:"Suddlently"; sid:720; rev:1;)

will this do pop3 and web?

alert $EXTERNAL_NET 80:110 -> $HOME_NET 1023: (msg:"Virus - SnowWhite \
Trojan Incoming";  content:"Suddlently"; sid:720; rev:1;) 

-- 
Michael Scheidell
Florida Datamation, Inc.
scheidell at ...183... 1+(561) 368-9561
See updated IT Security News at http://www.fdma.com/
After system Compromise : http://www.cert.org/tech_tips/





More information about the Snort-sigs mailing list