[Snort-sigs] Re: W32.Beagle.J Worm Signature?

RuthAnne Bevier ruthanne at ...2296...
Wed Mar 3 22:09:02 EST 2004


I hope I'm not doing this wrong -- this is the first time
I've posted here and I get the list in digest mode.  

I don't have a snort signature to offer per se, but fwiw, 
Beagle.J and Beagle.K seem to use the same 7 possible subject 
lines.  We've been successfully filtering on those.  Obviously 
not a long-term fix since the worm writers will probably change 
this, but for now it works.  See, e.g., the Symantec writeup for 
a list of the seven subject lines:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@...1512...
 
     --RuthAnne

-- 
RuthAnne Bevier
ITS Network Systems Security
California Institute of Technology
626-395-2671
ruthanne at ...2296...
http://www.its.caltech.edu/its/security/






More information about the Snort-sigs mailing list