[Snort-sigs] Re: Swen sigs

Martin Overton martin at ...1997...
Sat Nov 1 02:04:09 EST 2003


Here's mine and they seem to be working just fine:

These sigs will detect it in both MIME and Binary formats.

alert tcp $EXTERNAL_NET any -> any any (msg:"W32.Swen at ...110... - 
SMB";content:"|59 59 85 C0 74 09 6A 01 58 83 4D FC FF EB 15 FF 85 E0 
FE FF FF EB C7 6A 01 58 C3 8B 65 E8 83 4D|"; classtype:misc-
activity;rev:1;)

alert tcp $EXTERNAL_NET any -> any any (msg:"W32.Swen at ...110... - 
MIME";content:"QABohKNAAGShAAAAAFBkiSUAAAAAgewUAQAAU1ZXiWXoM/+JffyJvdz
+//+LdQhW6NORAABZhcB0"; classtype:misc-activity;rev:1;)

Hope this helps?

Regards,
Martin

-- 
Malware/Anti-Malware Specialist - WildList Reporter - AVIEN Charter 
member
Electronic Ephemera - Hoax FAQ http://arachnophiliac.com/hoax
PGP Fingerprint: 4734 8A99 94BB B63F EA3B  345F 0DCC DCBC DCA4 4AF4







More information about the Snort-sigs mailing list