[Snort-sigs] Rule for Sobig.F

Shane Williams shanew at ...94...
Tue Aug 19 15:30:03 EDT 2003


I spent some time today looking at the copius examples of Sobig.F that
we've been seeing through the day and have come up with a rule.

alert tcp any any -> any 25 (msg:"Probable Sobig.F in SMTP";\
content:"VDvdKcYWznRbLRPadQ+V576YUs6FwBGG\
rYnr7cqYlLI9/9zwrfe9T0tMbFTdX2GmQfo7TrcECi9A";\
sid:9000019; classtype:misc-activity; rev:1;)

As usual, I've broken up the lines, including the content line, so
that this won't falsely trigger my own (or anyone elses?)
filters/rules.  And as always, let me know if you get false positives
or negatives (though I tested this one pretty extensively and feel
pretty confident about it).

Hope it helps.

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...94...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew





More information about the Snort-sigs mailing list