[Snort-sigs] W32.Beagle.J Worm Signature?

Cam Beasley, ISO cam at ...2154...
Thu Mar 4 05:04:03 EST 2004


Might give this a go:

alert tcp any any <> any 25 \
 (msg:"Likely Bagle.J (password protected .ZIP)";\
flow:to_server,established;\  
 content:"Content-Transfer-Encoding|3A|";\
 content:"Content-Disposition|3A| attachment";\
 distance:1; \  content:"UEsDBAoAAQAAA";\
 classtype:misc-activity;\
 sid:20080129;rev:1;)

~cam.

Cam Beasley
Sr InfoSec Robot
Information Security Office
The University of Texas at Austin
cam at ...2154...
---------------------------

> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net 
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of 
> Mark.Schutzmann at ...2233...
> Sent: Wednesday, March 03, 2004 14:46
> To: snort-sigs at lists.sourceforge.net; 
> snort-users at lists.sourceforge.net
> Subject: [Snort-sigs] W32.Beagle.J Worm Signature?
> 
> 
> Has anyone developed or seen a signature for the 
> W32.Beagle.J? I know that it is not best-practices to monitor 
> for viruses through the SMTP gateway with Snort, but I am 
> having a problem detecting this one. The issue is that the 
> well-known AV Vendor that I am using will not scan a 
> password-protected zip file, which is usually the attachment 
> for this worm's e-mail. Any help would be appreciated.
> 
> Regards,
> Mark
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President 
> and CEO of GenToo technologies. Learn everything from 
> fundamentals to system 
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/s> nort-sigs
> 




More information about the Snort-sigs mailing list