[Snort-sigs] Re: Question about bleeding Netsky rule?

Matt Jonkman matt at ...2436...
Fri Jan 14 18:33:13 EST 2005

That's a good point. I wonder if that worm is even out there in enough 
numbers to be worth trying to fix the signature?

Anyone seen it lately? I've not for a good while.

I think I'll drop that rule but leave it in the rule file. We have 
others, and the normal IRC rules will catch the worm as well.


Chris Keladis wrote:

> Hi Matt,
> On the subject of virus rules, "BLEEDING-EDGE VIRUS Korgo Worm IRC 
> Connection" (sid:2001289; rev:2;) seems to me a little too broad.
> It alerts when any TCP connection is made to selected IPs, to ports 
> 6667:6670.
> Some of those IPs include Undernet IRC servers which the Korgo worm 
> possibly used, and therefore FP quite a bit on regular IRC traffic.
> Just thought i'd mention it.
> Regards,
> Chris.

More information about the Snort-sigs mailing list