[Snort-sigs] Netsky.c + others? attachment sid

Hugo van der Kooij hvdkooij at ...481...
Tue Mar 2 14:27:06 EST 2004

On Tue, 2 Mar 2004, John B. wrote:

> Correction. My rule was correct, my typing was
> incorrect.
> A method for detecting infected hosts could be:
>  alert tcp !$TRUSTED_SMTP_SERVERS any > any 25

So if is my trusted SMTP server and sends it's
daily logrotate report it would trigger this rule.

I like to old one better where SMTP traffic is neither going to nor coming
from the known SMTP servers.


 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

More information about the Snort-sigs mailing list