[Snort-sigs] Netsky.c + others? attachment sid
cybergolfing at ...144...
Wed Mar 3 07:30:10 EST 2004
If 192.168.1.10 normally sends logrotate emails to
192.168.1.2, would it not then be a trusted SMTP
An infected system _can_ transmit email to a trusted
email server. Either rule will infact work for the
virus. The "!$TRUSTED_SMTP_SERVERS > any" also helps
become aware of any _unknown_ SMTP servers that could
potentially be receiving email from infected hosts.
--- Hugo van der Kooij <hvdkooij at ...481...>
> On Tue, 2 Mar 2004, John B. wrote:
> > Correction. My rule was correct, my typing was
> > incorrect.
> > A method for detecting infected hosts could be:
> > alert tcp !$TRUSTED_SMTP_SERVERS any > any 25
> So if 192.168.1.2 is my trusted SMTP server and
> 192.168.1.10 sends it's
> daily logrotate report it would trigger this rule.
> I like to old one better where SMTP traffic is
> neither going to nor coming
> from the known SMTP servers.
> All email sent to me is bound to the rules
> described on my homepage.
> hvdkooij at ...481...
> Don't meddle in the affairs of sysadmins,
> for they are subtle and quick to anger.
> SF.Net is sponsored by: Speed Start Your Linux Apps
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
Do you Yahoo!?
Yahoo! Search - Find what youre looking for faster
More information about the Snort-sigs