[Snort-sigs] Rule for Sobig.F
Hugo van der Kooij
hvdkooij at ...481...
Fri Aug 22 07:30:11 EDT 2003
On Fri, 22 Aug 2003, Jonathan Norman wrote:
> Has anyone had any problems with this rule falsing?
> > alert tcp any any -> any 25 (msg:"Probable Sobig.F in SMTP";\
> > content:"VDvdKcYWznRbLRPadQ+V576YUs6FwBGG\
> > rYnr7cqYlLI9/9zwrfe9T0tMbFTdX2GmQfo7TrcECi9A";\
> > sid:9000019; classtype:misc-activity; rev:1;)
Untill now each syslog event concurs with a smtp message. Which may
include bounces and double bounces.
All email sent to me is bound to the rules described on my homepage.
hvdkooij at ...481... http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
More information about the Snort-sigs