[Snort-sigs] Klez worm rule?

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Tue Apr 30 13:34:07 EDT 2002

tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Virus Incoming";
flow:to_server; flags:A+; dsize:>120; content:"MIME"; content:"VGhpcyBwcm9";
classtype:misc-activity; sid:1000103; rev:1;) 

-----Original Message-----
From: bthaler at ...572... [mailto:bthaler at ...572...] 
Sent: Tuesday, April 30, 2002 3:20 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Klez worm rule?

Does anyone have a good rule for the Klez worm and it's variants?  I could
make one based on the subject of the infected email, but it would take
possibly 20 rules or more to catch all of the variations.  This method would
also trigger a large number of false positives, no doubt.

I was hoping someone has a better rule in place.

Brad T.


Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us:
bandwidth at ...574...
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list