[Snort-sigs] New MiMail infection signature
kbell at ...1998...
Mon Nov 3 07:00:11 EST 2003
I get the digest version of snort-sigs, so someone may have already posted
One of the our in-house systems got a MiMail variant infected email, which
should have been blocked at our borders.
One of the results of MiMail is that it attacks 'www.darkprofits.com' on
port 80. I threw this together to look for that outbound traffic and found
about 100 infected systems with thousands of hits against this on our
network in about 2 minutes:
alert tcp any any -> 220.127.116.11 80 (msg:"Infected with new MiMail";
classtype:policy-violation; sid:10000003; rev:1;)
We have no business going to this address, especially with thousands of
hits, so it's safe to say that all IPs hitting this system are infected.
More information about the Snort-sigs