[Snort-sigs] SID 2161

Nigel Houghton nigel at ...435...
Fri Jun 27 05:06:04 EDT 2003


Thank you for your contribution. However, the information contained in your document is incomplete. Please re-submit to the list with all sections completed.

For your reference please look at the documents submitted by Kevin Peuhkurinen, here's a link to one...

http://sourceforge.net/mailarchive/forum.php?thread_id=2571041&forum_id=7141

Also, please refer to my previous mailing on document submission..

http://sourceforge.net/mailarchive/forum.php?thread_id=2647238&forum_id=7141

Thanks,
Nigel Houghton

On Thu, 26 Jun 2003 10:17:49 -0400 (EDT)
Sam Evans <sam at ...219...> wrote:

> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work.
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> #
> # $Id$
> #
> #
> 
> Rule:
> alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"OUTBOUND .doc file
> attachment"; flow:to_server,established;
> content:"Content-Disposition|3a|"; content:"filename=|22|"; distance:0;
> within:30; content:".doc|22|"; distance:0; within:30; nocase;
> classtype:misc-activity; sid:2161; rev:2;)
> 
> --
> Sid:
> 2161
> 
> --
> Summary:
> Rule previous was labeled VIRUS OUTBOUND .doc file attachment.  I have
> found this to be inaccruate as this rule fires on any .doc file going
> outbound; virus infected or not.  Felt this should be changed as to not
> mislead customers that this rule is correctly detecting virus infected
> documents/
> 
> 
>  --
> Impact:
> Informational Only
> 
> --
> Detailed Information:
> 
> --
> Affected Systems:
> Microsoft Platforms
> 
> --
> Attack Scenarios:
> N/A
> 
> --
> Ease of Attack:
> N/A
> 
> --
> False Positives:
> N/A
> 
> --
> False Negatives:
> N/A
> 
> --
> Corrective Action:
> N/A
> 
> --
> Contributors:
> Existing rule in the Snort.org ruleset.
> 
> -- 
> Additional References:
> N/A
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list