[Snort-sigs] Quickie rule to catch the new price.zip virus going around
jackhammer at ...2420...
Mon Aug 9 14:11:02 EDT 2004
Comments welcome, as I said written in a hurry, seems to work in my
environment just fine. If you are sitting somewhere that you can see
traffic between mail servers you may need to add a pass rule for the
mail servers as a source so they don't show up as infected sources.
alert tcp any any -> any 25 (msg:"Price Virus traffic
(WORM_Bagle.AC)"; sid:1200035; rev:1;
content:"filename="; content:"price"; within: 10; content: ".zip";
More information about the Snort-sigs