[Snort-sigs] Re: Snort Virus Rules

Sam Evans sam at ...219...
Mon Feb 24 08:41:14 EST 2003


I created some signatures on the fly, based on the virus advisories.  I 
cannot guarentee that they will work, but should hopefully provide a 
starting point. 

alert tcp $HOME_NET any -> any 25 (msg: "VIRUS - Lovegate"; content: 
"hello_dll at ...1318..."; rev:1;)
alert tcp $HOME_NET any -> any 25 (msg: "VIRUS - Lovegate"; content: 
"hacker117 at ...1318..."; rev:1; sid:)
alert tcp $HOME_NET any -> any 25 (msg: "VIRUS - Lovegate"; content: 
"54love at ...1319..."; rev:1; 


Thanx,
Sam 

Sam Evans writes: 

> Hiya.  I was wondering if anyone has come up with some signatures to 
> identify machines infected with the WORM_LOVEGATE.C
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LOVGA 
> TE .C&VSect=T  
> 
> Thought I'd ask before I reinvent the wheel.  
> 
> Thanks,
> Sam  
> 
 




More information about the Snort-sigs mailing list