[Snort-sigs] Re: Question about bleeding Netsky rule?

Chris Keladis chris at ...2461...
Fri Jan 14 18:19:01 EST 2005


Hi Matt,

On the subject of virus rules, "BLEEDING-EDGE VIRUS Korgo Worm IRC 
Connection" (sid:2001289; rev:2;) seems to me a little too broad.

It alerts when any TCP connection is made to selected IPs, to ports 
6667:6670.

Some of those IPs include Undernet IRC servers which the Korgo worm 
possibly used, and therefore FP quite a bit on regular IRC traffic.

Just thought i'd mention it.




Regards,

Chris.


Matt Jonkman wrote:

> You're correct, it should be tcp. Surprised snort hasn't complained 
> about that one. Thanks for pointing it out.
> 
> Fixed and posted. Thanks
> 
> Matt
> 
> James Riden wrote:
> 
>> From today's bleeding-virus.rules:
>>
>> alert icmp $HOME_NET any -> any 25 
>> (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; 
>> msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25"; 
>> classtype:trojan-activity; sid:2001283; rev:2; )
>>
>> I don't understand the 'alert *icmp*'. Netsky is purely SMTP-based,
>> isn't it?
>>
>> cheers,
>> Jamie
>>  
>>
> 





More information about the Snort-sigs mailing list