[Snort-sigs] Netsky.c + others? attachment sid

John B. cybergolfing at ...144...
Wed Mar 3 07:30:10 EST 2004


If 192.168.1.10 normally sends logrotate emails to
192.168.1.2, would it not then be a trusted SMTP
server also?

An infected system _can_ transmit email to a trusted
email server. Either rule will infact work for the
virus. The "!$TRUSTED_SMTP_SERVERS > any" also helps
become aware of any _unknown_ SMTP servers that could
potentially be receiving email from infected hosts.


John B.

--- Hugo van der Kooij <hvdkooij at ...481...>
wrote:
> On Tue, 2 Mar 2004, John B. wrote:
> 
> > Correction. My rule was correct, my typing was
> > incorrect.
> >
> > A method for detecting infected hosts could be:
> >
> >  alert tcp !$TRUSTED_SMTP_SERVERS any > any 25
> 
> So if 192.168.1.2 is my trusted SMTP server and
> 192.168.1.10 sends it's
> daily logrotate report it would trigger this rule.
> 
> I like to old one better where SMTP traffic is
> neither going to nor coming
> from the known SMTP servers.
> 
> Hugo.
> 
> -- 
>  All email sent to me is bound to the rules
> described on my homepage.
>     hvdkooij at ...481...	
> http://hvdkooij.xs4all.nl/
> 	    Don't meddle in the affairs of sysadmins,
> 	    for they are subtle and quick to anger.
> 
> 
>
-------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps
> Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
>
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-sigs


__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you’re looking for faster
http://search.yahoo.com




More information about the Snort-sigs mailing list