[Snort-sigs] W32.Beagle.J Worm Signature?
Hugo van der Kooij
hvdkooij at ...481...
Wed Mar 3 13:47:00 EST 2004
On Wed, 3 Mar 2004 Mark.Schutzmann at ...2233... wrote:
> Has anyone developed or seen a signature for the W32.Beagle.J? I know that
> it is not best-practices to monitor for viruses through the SMTP gateway
> with Snort, but I am having a problem detecting this one. The issue is that
> the well-known AV Vendor that I am using will not scan a password-protected
> zip file, which is usually the attachment for this worm's e-mail. Any help
> would be appreciated.
Name a scanner that DOES scan a password protected zip file. I have seen
quite a bunch and you either block these files or ignore them. Untill now
I was biased to let them pass. But things start to go downhill rapidly
Unfortunatly I have not seen enough examples to attempt any pattern
All email sent to me is bound to the rules described on my homepage.
hvdkooij at ...481... http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
More information about the Snort-sigs