[Snort-sigs] Witty signature

todb at ...794... todb at ...794...
Sat Mar 20 03:18:01 EST 2004


Pretty easy one:

alert udp any 4000 -> any any (msg:"ISS RealSecure or BlackICE Witty
Infection Attempt"; content:"|20 20 20 20 20
20|insert.witty.message.here"; depth:146; classtype:trojan-activity;
reference:url,http://xforce.iss.net/xforce/alerts/id/166; sid:1111001;
rev:1;)

Mostly useful for the Trons crowd (drop disallowed Trons fields accordingly).

-- 
Tod Beardsley
www.planb-security.net





More information about the Snort-sigs mailing list