[Snort-sigs] Problems with SID 2161

Sam Evans sam at ...219...
Mon Jun 23 14:56:24 EDT 2003

I don't disagree.  I was surprised when I saw this signature show up when
I ran Oinkmaster, however, if all this thing is doing is identifying when
.doc files are being emailed out, then I would say it's msg is highly

I would place this signature in the Policy enforcement classification and
change the name from VIRUS OUTBOUND .doc file attachment to OUTBOUND .doc
file attachment...

Anyhow, my .02 for whatever it's worth.


> Yep.  When .doc files are transfered via email.  If you allow that,
> then turn the rule off.  Be forewarned that a number of virus
> implementations use vulnerabilities in Microsoft word for propagation.
> If you want real virus protection, install a virus scanner on your
> mail server.  Using snort to detect virus infections is a stop-gap at
> best.
> -brian

More information about the Snort-sigs mailing list