[Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?

Burak DAYIOGLU dayioglu at ...508...
Tue May 20 22:21:07 EDT 2003


On Tue, 2003-05-20 at 18:04, Robert Reid wrote:
> Just loaded this rule on two sensors and immediately started gettings 1000's
> of false postives per min.
> Robert

Are you sure that the alerts are merely false positives? I believe that
you are infected ;)

The below rule is one of the longest pattern matching rules in the whole
snort ruleset, I don't suspect it to generate much false positives.
(Actually, such long patterns *generally* cause false negatives at all
:)

> alert tcp any any -> any 25 (msg:"Possible Palyh virus in SMTP"; \
> content:"2f6LwTPJiUgEAggMEMcAQEJBAMP9d///Vovx6AoAAC/2RCQIAXQHVgyEWlmLxl7CBAA
> H2X7fG4tG"; \ sid:9000018; classtype:misc-activity; rev:1;)

with regards.
-- 
Burak DAYIOGLU
Phone: +90 312 2103379      Fax: +90 312 2103333
http://www.dayioglu.net        ICQ UIN: 72276975





More information about the Snort-sigs mailing list