[Snort-sigs] Re: Question about bleeding Netsky rule?

Matt Jonkman matt at ...2436...
Fri Jan 14 17:51:12 EST 2005

You're correct, it should be tcp. Surprised snort hasn't complained 
about that one. Thanks for pointing it out.

Fixed and posted. Thanks


James Riden wrote:

>From today's bleeding-virus.rules:
>alert icmp $HOME_NET any -> any 25 (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25"; classtype:trojan-activity; sid:2001283; rev:2; )
>I don't understand the 'alert *icmp*'. Netsky is purely SMTP-based,
>isn't it?
> Jamie

Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential 
and intended solely for the intended recipient. Any use, 
distribution, transmittal or retransmittal of information 
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.  
If you are not the intended recipient, please contact the sender 
and delete all copies.

More information about the Snort-sigs mailing list