[Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?
dayioglu at ...508...
Tue May 20 22:21:07 EDT 2003
On Tue, 2003-05-20 at 18:04, Robert Reid wrote:
> Just loaded this rule on two sensors and immediately started gettings 1000's
> of false postives per min.
Are you sure that the alerts are merely false positives? I believe that
you are infected ;)
The below rule is one of the longest pattern matching rules in the whole
snort ruleset, I don't suspect it to generate much false positives.
(Actually, such long patterns *generally* cause false negatives at all
> alert tcp any any -> any 25 (msg:"Possible Palyh virus in SMTP"; \
> H2X7fG4tG"; \ sid:9000018; classtype:misc-activity; rev:1;)
Phone: +90 312 2103379 Fax: +90 312 2103333
http://www.dayioglu.net ICQ UIN: 72276975
More information about the Snort-sigs