[Snort-sigs] Anyone got an *incoming* Bropia rule?
Jason.Haar at ...651...
Thu Feb 17 21:57:15 EST 2005
The Bleeding snort rules I've seen around for catching Bropia appear to
be for catching it calling *out* - not for catching it as it is
delivered to MS Messenger? I've now got 4 BS rules for detecting Bropia
variants, and it's never triggered - even though our internal AV has
been catching it on the desktop. Also if we ever got infected, our
firewalls blocks outgoing traffic - especially the IRC Bropia prefers -
so these TCP rules would never trigger anyway :-(
All our outgoing Web traffic (which includes MS Messenger) is via
proxies, so I've even removed explicit port numbers from the rules (i.e.
replaced with "any") and it still isn't catching anything.
Has anyone any ideas what else I can try? Bropia has a fair amount of
publicity at the moment and I'd like Snort to be showing it up ;-)
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs