[Snort-sigs] New bagle variant

Matthew Jonkman mjonkman at ...2436...
Mon Aug 16 07:52:05 EDT 2004


Just posted this to Bleedingsnort.com for the bagle variant out there. 
Seems to be moving fast, but a fwe av engines have not yet identified it.

This rull will certainly have a few falses, but if you have a real 
infected one I'm sure it'll hit a number of these.

alert tcp $HOMT_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Bagle Variant Requesting 2.jpg"; 
reference:url,http.isc.sans.org/diary.php?date=2004-08-09; 
uricontent:"2.jpg"; sid:2001061; rev:1;)

Matt




More information about the Snort-sigs mailing list