[Snort-sigs] Netsky.c + others? attachment sid
Hugo van der Kooij
hvdkooij at ...481...
Tue Mar 2 14:27:06 EST 2004
On Tue, 2 Mar 2004, John B. wrote:
> Correction. My rule was correct, my typing was
> A method for detecting infected hosts could be:
> alert tcp !$TRUSTED_SMTP_SERVERS any > any 25
So if 192.168.1.2 is my trusted SMTP server and 192.168.1.10 sends it's
daily logrotate report it would trigger this rule.
I like to old one better where SMTP traffic is neither going to nor coming
from the known SMTP servers.
All email sent to me is bound to the rules described on my homepage.
hvdkooij at ...481... http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
More information about the Snort-sigs