[Snort-sigs] Witty signature

todb at ...794... todb at ...794...
Sat Mar 20 03:18:01 EST 2004

Pretty easy one:

alert udp any 4000 -> any any (msg:"ISS RealSecure or BlackICE Witty
Infection Attempt"; content:"|20 20 20 20 20
20|insert.witty.message.here"; depth:146; classtype:trojan-activity;
reference:url,http://xforce.iss.net/xforce/alerts/id/166; sid:1111001;

Mostly useful for the Trons crowd (drop disallowed Trons fields accordingly).

Tod Beardsley

More information about the Snort-sigs mailing list