[Snort-sigs] rules

Chris Green cmg at ...26...
Wed Nov 14 09:50:02 EST 2001

"Lucian Vanghele" <lucian.vanghele at ...182...> writes:

> 1.  (*) text/plain          ( ) text/html           
> hi there
> I have some probls with a virus js.exception.exploit (which is supposes
> to send mass mails all over the world) and I want to add a rule for
> outgoing mails

> to check if that virus go out from my server
>  ( alert tcp any any -> any 25 (msg:"Virus - SnowWhite Trojan Incoming";
> content:"Suddlently"; sid:720; rev:1;) I think so but not sure...)

I would make sure that read

alert tcp $HOME_NET any -> any 25 \
       (msg:"Virus - SnowWhite Trojan Outgoing"; \
        content:"Suddlently"; sid:1000720; rev:1;)

Note that the sid is changed b/c it is a different rule. Right now
sids are advisory though in the not so far future, they will be
something rules require ( atleast if you expect certain tools to work
correctly ).
Chris Green <cmg at ...26...>
This is my signature. There are many like it but this one is mine.

More information about the Snort-sigs mailing list