[Snort-sigs] Anyone got an *incoming* Bropia rule?

Jason Haar Jason.Haar at ...651...
Thu Feb 17 21:57:15 EST 2005

Hi there

The Bleeding snort rules I've seen around for catching Bropia appear to 
be for catching it calling *out* - not for catching it as it is 
delivered to MS Messenger? I've now got 4 BS rules for detecting Bropia 
variants, and it's never triggered - even though our internal AV has 
been catching it on the desktop. Also if we ever got infected, our 
firewalls blocks outgoing traffic - especially the IRC Bropia prefers - 
so these TCP rules would never trigger anyway :-(

All our outgoing Web traffic (which includes MS Messenger) is via 
proxies, so I've even removed explicit port numbers from the rules (i.e. 
replaced with "any") and it still isn't catching anything.

Has anyone any ideas what else I can try? Bropia has a fair amount of 
publicity at the moment and I'd like Snort to be showing it up ;-)



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list