[Snort-sigs] Quickie rule to catch the new price.zip virus going around

Paul Tinsley jackhammer at ...2420...
Mon Aug 9 14:11:02 EDT 2004


Comments welcome, as I said written in a hurry, seems to work in my
environment just fine.  If you are sitting somewhere that you can see
traffic between mail servers you may need to add a pass rule for the
mail servers as a source so they don't show up as infected sources.

alert tcp any any -> any 25 (msg:"Price Virus traffic
(WORM_Bagle.AC)"; sid:1200035; rev:1;
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AC;
content:"filename="; content:"price"; within: 10; content: ".zip";
within: 10;)

Thanks,
          Paul Tinsley




More information about the Snort-sigs mailing list