[Snort-sigs] Sourcefire VRT Certified Rules Update

Sourcefire VRT research at ...435...
Thu Jan 5 14:59:11 EST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Rules Update

Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has improved detection
for the new Sober worm variant.


Details:
The Sober worm is a mass mailer normally spread via email. A variant of
this worm displays more infection indicators that can be detected
easily using rules.

Rules to detect machines infected with this variant of the sober worm
are included in this update and are identified as sids 5320 and 5324.


Updated rules:
5321 - VIRUS Possible Sober virus set one NTP time check attempt
(virus.rules)
5322 - VIRUS Possible Sober virus set two NTP time check attempt
(virus.rules)
5323 - VIRUS Possible Sober virus set three NTP time check attempt
(virus.rules)

New rules:
2519 - DELETED SMTP Client_Hello overflow attempt (deleted.rules)
2538 - DELETED SMTP SSLv3 Client_Hello request (deleted.rules)
2539 - DELETED SMTP SSLv3 Server_Hello request (deleted.rules)
2540 - DELETED SMTP SSLv3 invalid Client_Hello attempt (deleted.rules)
3060 - DELETED WEB-MISC TLS1 Client_Hello with pad via SSLv2 handshake
request (deleted.rules)
5320 - VIRUS Possible Sober virus set one call home attempt
(virus.rules)
5324 - VIRUS Possible Sober virus set two call home attempt
(virus.rules)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDvaSXMpm0ve0NhMcRAokDAKCT9P4hT0ZlcTrP+0OKLvEn73SyMQCfTjNi
g9cl0l0UGKBvgaWAVF7LDkU=
=U0NV
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list