[Snort-sigs] Further tweaks for the Evaman rule

Matthew Jonkman matt at ...2436...
Tue Jul 6 04:54:01 EDT 2004


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS 
Possible Evaman Worm Outbound"; content:"filename="; pcre: 
"m/(body|message|email|returned|text|document).(scr|txt.scr|html.scr|outlook.scrtxt.exe)/"; 
content:"formart"; 
reference:url,secunia.com/virus_information/10429/evaman; sid:2000343; 
rev:3;)

It was hitting on the warning emails about an evaman rule. These tweaks 
should eliminate that and also add the misspelling of format to make 
this more accurate.

Input welcome as always. This is up on bleeding.

Matt
-- 




More information about the Snort-sigs mailing list