[Snort-sigs] Quick Sobig.f rule

Paul Schmehl pauls at ...1311...
Fri Aug 22 16:15:14 EDT 2003

I threw up this rule to catch Sobig.f trying to access its bots for 
downloads.  You might also want to block 8998/UDP at your edge:

# This rule should catch Sobig.f infected clients
alert udp $HOME_NET any -> any 8998 (msg: "ALERT!!! Sobig.f infection!!"; 
classtype:trojan-activity; sid: 10000009; rev: 1;)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list