[Snort-sigs] Re: Question about bleeding Netsky rule?

Chris Keladis chris at ...2461...
Fri Jan 14 18:19:01 EST 2005

Hi Matt,

On the subject of virus rules, "BLEEDING-EDGE VIRUS Korgo Worm IRC 
Connection" (sid:2001289; rev:2;) seems to me a little too broad.

It alerts when any TCP connection is made to selected IPs, to ports 

Some of those IPs include Undernet IRC servers which the Korgo worm 
possibly used, and therefore FP quite a bit on regular IRC traffic.

Just thought i'd mention it.



Matt Jonkman wrote:

> You're correct, it should be tcp. Surprised snort hasn't complained 
> about that one. Thanks for pointing it out.
> Fixed and posted. Thanks
> Matt
> James Riden wrote:
>> From today's bleeding-virus.rules:
>> alert icmp $HOME_NET any -> any 25 
>> (content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; 
>> msg:"BLEEDING-EDGE VIRUS Netsky base64 port 25"; 
>> classtype:trojan-activity; sid:2001283; rev:2; )
>> I don't understand the 'alert *icmp*'. Netsky is purely SMTP-based,
>> isn't it?
>> cheers,
>> Jamie

More information about the Snort-sigs mailing list