[Snort-sigs] Witty signature

todb at ...794... todb at ...794...
Sat Mar 20 09:18:43 EST 2004

> Pretty easy one:

Well, not so easy at 5am. Thanks to Joe Stewart for pointing out my
obviously rush job.

alert udp any 4000 -> any any (msg:"ISS RealSecure or BlackICE Witty
Infection Attempt"; content:"|20 20 20 20 20
20|insert witty message here"; depth:146; classtype:trojan-activity;
reference:url,xforce.iss.net/xforce/alerts/id/166; sid:1111001;

Tod Beardsley

More information about the Snort-sigs mailing list