[Snort-sigs] Netsky.P Signature

Adrian Marsden amarsden at ...2045...
Wed Mar 24 06:14:11 EST 2004


Actually, from a forensics pov this rule is useful if the direction is
reversed, (Ext -> Home), when placed inside the firewall and other
filters you can determine what potentially harmful files actually
entered the system during a given period. With checking of the mail logs
you can then determine who received what files, which may be useful.

I would leave it as suspicious filename, not as a policy violation if
you reverse the direction.

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...651...] 
Sent: Tuesday, March 23, 2004 8:31 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Netsky.P Signature

On Tue, Mar 23, 2004 at 08:03:26AM -0600, Mark.Schutzmann at ...2233...
wrote:
> 
> I can't wait for all of the FP's on this one... but at least it will
be
> fast ;-)

I wouldn't say FPs - but the msg should be something more like 

msg:"Email OUTBOUND bad file attachment";

as this rule merely notices e-mails with attachments typically
assosiated
with viruses - not viruses themselves. You could say it was more of a
"policy-violation" rule perhaps...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list