[Snort-sigs] Bleeding-Edge Virus 2001268 false positive (SWEN.A)

Rich Adamson radamson at ...908...
Tue Jul 5 14:10:15 EDT 2005


FYI, the Bleeding-Edge Virus rule 2001268 is fired when an email is
sent that has a remote SupportDesk package attached from:
 http://www.networkstreaming.com/products.htm

snort: [1:2001268:4] BLEEDING-EDGE VIRUS SWEN.A Worm detected 
[Classification: A Network Trojan was detected]
[Priority: 1]: {TCP} 10.10.10.161:1099 -> 222.1.111.1:25

The exact signature in this rule does occur in this commercial software
package. 

I don't have a copy of the virus to recommend changes to this rule.

Rich






More information about the Snort-sigs mailing list