[Snort-sigs] Re: Question about bleeding Netsky rule?
chris at ...2461...
Fri Jan 14 18:19:01 EST 2005
On the subject of virus rules, "BLEEDING-EDGE VIRUS Korgo Worm IRC
Connection" (sid:2001289; rev:2;) seems to me a little too broad.
It alerts when any TCP connection is made to selected IPs, to ports
Some of those IPs include Undernet IRC servers which the Korgo worm
possibly used, and therefore FP quite a bit on regular IRC traffic.
Just thought i'd mention it.
Matt Jonkman wrote:
> You're correct, it should be tcp. Surprised snort hasn't complained
> about that one. Thanks for pointing it out.
> Fixed and posted. Thanks
> James Riden wrote:
>> From today's bleeding-virus.rules:
>> alert icmp $HOME_NET any -> any 25
>> msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25";
>> classtype:trojan-activity; sid:2001283; rev:2; )
>> I don't understand the 'alert *icmp*'. Netsky is purely SMTP-based,
>> isn't it?
More information about the Snort-sigs