[Snort-sigs] NETBIOS nimda .eml

Jason Haar Jason.Haar at ...651...
Wed Jun 2 16:48:34 EDT 2004

This is causing a small number of FPs for us too - I wonder if the rule could
be changed?

Nimda (and any other eml based virus) contained an executable as a MIME
attachment, so adding another "content:" field should help sort out viral
emails from standard emails

Standard Windows binaries in base64 format look like:



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list