[Snort-sigs] Re: Snort Virus Rules

Sam Evans sam at ...219...
Mon Feb 24 08:41:29 EST 2003


Sorry, looks like my mailer botched those rules.  Here they are again: 


alert tcp $HOME_NET any -> any 25 (msg: "Possible VIRUS - Lovegate"; 
content: "hello_dll at ...1318..."; rev:1;)
alert tcp $HOME_NET any -> any 25 (msg: "Possible VIRUS - Lovegate"; 
content: "hacker117 at ...1318..."; rev:1;)
alert tcp $HOME_NET any -> any 25 (msg: "Possible VIRUS - Lovegate"; 
content: "54love at ...1319..."; rev:1;) 


Sam Evans writes: 

> I created some signatures on the fly, based on the virus advisories.  I 
> cannot guarentee that they will work, but should hopefully provide a 
> starting point.  
> 
> alert tcp $HOME_NET any -> any 25 (msg: "VIRUS - Lovegate"; content: 
> "hello_dll at ...1318..."; rev:1;)
> alert tcp $HOME_NET any -> any 25 (msg: "VIRUS - Lovegate"; content: 
> "hacker117 at ...1318..."; rev:1; sid:)
> alert tcp $HOME_NET any -> any 25 (msg: "VIRUS - Lovegate"; content: 
> "54love at ...1319..."; rev:1;  
> 
> 
> Thanx,
> Sam  
> 
> Sam Evans writes:  
> 
>> Hiya.  I was wondering if anyone has come up with some signatures to 
>> identify machines infected with the WORM_LOVEGATE.C
>> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LOVG 
>> A TE .C&VSect=T   
>> 
>> Thought I'd ask before I reinvent the wheel.   
>> 
>> Thanks,
>> Sam   
>> 
> 
 




More information about the Snort-sigs mailing list