[Snort-sigs] mydoom.f sig

Chintan Gosalia chintan_cmpe at ...144...
Wed Feb 25 14:31:13 EST 2004


Hi,
 
If you have any idea what specific ports to look for contents, it may help more in reducing false positives. So the content u r looking for is part of the attachment the worm carries( i mean the worm's executable's payload or anything else) or sth. else. The answer to this question may help making this signature more concrete.
 
Any other feedback is also appreciated.
 
Thanks.
Chintan

Danny Espinoza <DEspinoza at ...2273...> wrote:
here is the sig I have been using on my network for mydoom.f ... it
seems to be working with no false positives please message me with any
recomendations or false positives

alert tcp any any -> any any (msg:"Virus - MyDoom.F
Worm";content:"gICAgICAgICAgICAgICAgICAg";content:"|57 69 6E 64 6F 77 73
2D 31 32 35 32|";classtype:misc-attack; rev:1;)



- Danny



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

---------------------------------
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040225/9a05dee5/attachment.html>


More information about the Snort-sigs mailing list