[Snort-sigs] Rule for Sobig.F

Jonathan Norman jnorman at ...1256...
Fri Aug 22 06:52:14 EDT 2003


Has anyone had any problems with this rule falsing?


On Tue, 19 Aug 2003, Shane Williams wrote:

> I spent some time today looking at the copius examples of Sobig.F that
> we've been seeing through the day and have come up with a rule.
>
> alert tcp any any -> any 25 (msg:"Probable Sobig.F in SMTP";\
> content:"VDvdKcYWznRbLRPadQ+V576YUs6FwBGG\
> rYnr7cqYlLI9/9zwrfe9T0tMbFTdX2GmQfo7TrcECi9A";\
> sid:9000019; classtype:misc-activity; rev:1;)
>
> As usual, I've broken up the lines, including the content line, so
> that this won't falsely trigger my own (or anyone elses?)
> filters/rules.  And as always, let me know if you get false positives
> or negatives (though I tested this one pretty extensively and feel
> pretty confident about it).
>
> Hope it helps.
>
> --
> Public key #7BBC68D9 at            |                 Shane Williams
> http://pgp.mit.edu/                |      System Admin - UT iSchool
> =----------------------------------+-------------------------------
> All syllogisms contain three lines |              shanew at ...94...
> Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by Dice.com.
> Did you know that Dice has over 25,000 tech jobs available today? From
> careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
> best hiring companies. http://www.dice.com/index.epl?rel_code=104
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list