[Snort-sigs] mydoom.f sig

Danny Espinoza DEspinoza at ...2273...
Wed Feb 25 06:33:11 EST 2004

here is the sig I have been using on my network for mydoom.f ... it
seems to be working with no false positives please message me with any
recomendations or false positives

alert tcp any any -> any any (msg:"Virus - MyDoom.F
Worm";content:"gICAgICAgICAgICAgICAgICAg";content:"|57 69 6E 64 6F 77 73
2D 31 32 35 32|";classtype:misc-attack; rev:1;)

- Danny

More information about the Snort-sigs mailing list