[Snort-sigs] Re: Question about bleeding Netsky rule?
matt at ...2436...
Fri Jan 14 18:33:13 EST 2005
That's a good point. I wonder if that worm is even out there in enough
numbers to be worth trying to fix the signature?
Anyone seen it lately? I've not for a good while.
I think I'll drop that rule but leave it in the rule file. We have
others, and the normal IRC rules will catch the worm as well.
Chris Keladis wrote:
> Hi Matt,
> On the subject of virus rules, "BLEEDING-EDGE VIRUS Korgo Worm IRC
> Connection" (sid:2001289; rev:2;) seems to me a little too broad.
> It alerts when any TCP connection is made to selected IPs, to ports
> Some of those IPs include Undernet IRC servers which the Korgo worm
> possibly used, and therefore FP quite a bit on regular IRC traffic.
> Just thought i'd mention it.
More information about the Snort-sigs