[Snort-sigs] Netsky.c + others? attachment sid

Hugo van der Kooij hvdkooij at ...481...
Tue Mar 2 14:27:06 EST 2004


On Tue, 2 Mar 2004, John B. wrote:

> Correction. My rule was correct, my typing was
> incorrect.
>
> A method for detecting infected hosts could be:
>
>  alert tcp !$TRUSTED_SMTP_SERVERS any > any 25

So if 192.168.1.2 is my trusted SMTP server and 192.168.1.10 sends it's
daily logrotate report it would trigger this rule.

I like to old one better where SMTP traffic is neither going to nor coming
from the known SMTP servers.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.




More information about the Snort-sigs mailing list