[Snort-sigs] NETBIOS nimda .eml

Jason Haar Jason.Haar at ...651...
Wed Jun 2 16:48:34 EDT 2004


This is causing a small number of FPs for us too - I wonder if the rule could
be changed?

Nimda (and any other eml based virus) contained an executable as a MIME
attachment, so adding another "content:" field should help sort out viral
emails from standard emails

Standard Windows binaries in base64 format look like:

^TV(qq|qQ|r1|pQ|pA|py|rm|rh|oF|oI|rQ|o8|ou|oA)


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list