[Snort-sigs] Re: Question about bleeding Netsky rule?

Matt Jonkman matt at ...2436...
Fri Jan 14 18:33:13 EST 2005


That's a good point. I wonder if that worm is even out there in enough 
numbers to be worth trying to fix the signature?

Anyone seen it lately? I've not for a good while.

I think I'll drop that rule but leave it in the rule file. We have 
others, and the normal IRC rules will catch the worm as well.

Matt

Chris Keladis wrote:

> Hi Matt,
>
> On the subject of virus rules, "BLEEDING-EDGE VIRUS Korgo Worm IRC 
> Connection" (sid:2001289; rev:2;) seems to me a little too broad.
>
> It alerts when any TCP connection is made to selected IPs, to ports 
> 6667:6670.
>
> Some of those IPs include Undernet IRC servers which the Korgo worm 
> possibly used, and therefore FP quite a bit on regular IRC traffic.
>
> Just thought i'd mention it.
>
>
>
>
> Regards,
>
> Chris.






More information about the Snort-sigs mailing list