[Snort-sigs] W32.Dumaru Sig

Nick Duda nduda at ...1896...
Wed Oct 29 08:43:28 EST 2003


Very nice, I was more concerned about if I had an infected system , I
would like to detect the IRC Trojan talking out to the IRC channel. I
did find out I had the IRC rules #PSI# . This was for policy reasons ,
however I've renabled it. 

-----Original Message-----
From: Erwin Van de Velde [mailto:erwin.vandevelde at ...1989...] 
Sent: Wednesday, October 29, 2003 11:28 AM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] W32.Dumaru Sig

Hi,

I just made this simple rule:
alert tcp any 110 -> $HOME_NET any (msg: "ALERT!!! Incoming W32/Dumaru
virus 
by e-mail!"; content:"Use this patch immediately"; sid: 10000010; rev:
1;)

I don't know if this is enough, but I get all W32/Dumaru at ...871... virusses in
emails 
with subject "Use this patch immediately"....

Any comments on that?

Erwin


On Wednesday 29 October 2003 13:30, Nick Duda wrote:
> Anyone have a sig for W32.Dumaru at ...110...? Or better yet a sig to detect IRC
> traffic.
>
> Lastly, I hate to ask questions that either have been asked before or
> have a resource to look at. Does anyone know of a KB of snort sigs?
>
> - Nick





More information about the Snort-sigs mailing list