[Snort-sigs] W32.Dumaru Sig

Erwin Van de Velde erwin.vandevelde at ...1989...
Wed Oct 29 08:30:11 EST 2003


I just made this simple rule:
alert tcp any 110 -> $HOME_NET any (msg: "ALERT!!! Incoming W32/Dumaru virus 
by e-mail!"; content:"Use this patch immediately"; sid: 10000010; rev: 1;)

I don't know if this is enough, but I get all W32/Dumaru at ...871... virusses in emails 
with subject "Use this patch immediately"....

Any comments on that?


On Wednesday 29 October 2003 13:30, Nick Duda wrote:
> Anyone have a sig for W32.Dumaru at ...110...? Or better yet a sig to detect IRC
> traffic.
> Lastly, I hate to ask questions that either have been asked before or
> have a resource to look at. Does anyone know of a KB of snort sigs?
> - Nick

More information about the Snort-sigs mailing list