[Snort-sigs] Rule for Sobig.F

Hugo van der Kooij hvdkooij at ...481...
Fri Aug 22 07:30:11 EDT 2003

On Fri, 22 Aug 2003, Jonathan Norman wrote:

> Has anyone had any problems with this rule falsing?
> > alert tcp any any -> any 25 (msg:"Probable Sobig.F in SMTP";\
> > content:"VDvdKcYWznRbLRPadQ+V576YUs6FwBGG\
> > rYnr7cqYlLI9/9zwrfe9T0tMbFTdX2GmQfo7TrcECi9A";\
> > sid:9000019; classtype:misc-activity; rev:1;)

Untill now each syslog event concurs with a smtp message. Which may 
include bounces and double bounces.


 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

More information about the Snort-sigs mailing list