[Snort-sigs] [Fwd: Re: [Dragonidsuser] W32/Mimail Signature]

Burak DAYIOGLU burak.dayioglu at ...1733...
Tue Aug 5 15:20:15 EDT 2003

I got this on the Dragon list and it seems that no rule for Mimail
exists for Snort yet. ;)

I guess something like the below would do:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MIMAIL-Virus";
flow:to_server,established; content:"This email address will be exp";
classtype:bad-unknown; sid:1000091; rev:1;)

with regards,

-----Forwarded Message-----

From: Karl Hill <karl.hill at ...1734...>
To: dragonidsuser at ...1735...
Subject: Re: [Dragonidsuser] W32/Mimail Signature
Date: 04 Aug 2003 22:37:00 -0600

i've found this one is pretty accurate, haven't seen false positives yet on it
(operative word, "yet").

T D A B 5 0 25 OCS:W32-MIMAIL-1 This/20email/20address/20will/20be/20expiring/2e
, name=/22message.zip/22

// Karl

Consultant, Pro-G Information Security and Research Ltd.
Phone: +90 312 2101494         Fax: +90 312 2101493
http://www.pro-g.com.tr           ICQ UIN: 72276975

More information about the Snort-sigs mailing list