[Snort-sigs] FP community rule sid:100000689; rev:1

Michael Scheidell scheidell at ...249...
Fri Jul 21 14:57:21 EDT 2006


community-smtp.rules:alert tcp !$SMTP_SERVERS any -> any 25 
(msg:"COMMUNITY SMTP Mytob MAIL FROM Attempt"; flow:established,to_server; 
content:"MAIL FROM|3A|"; nocase; pcre:"/MAIL\s+FROM\s*\x3A\s*\x3C?(spm|fcnz|www|secur|abuse)@/i"; 
reference:url,www.symantec.com/avcenter/venc/data/w32.mytob at ...1512...; classtype:misc-attack; sid:100000689; 
rev:1;)


000 : 4D 41 49 4C 20 46 52 4F 4D 3A 3C 77 77 77 40 72   MAIL FROM:<www at ...3238...
010 : 70 64 30 30 37 2E 73 65 63 75 72 65 73 69 74 65   pd007.securesite
020 : 73 2E 6E 65 74 3E 20 53 49 5A 45 3D 36 37 35 31   s.net> SIZE=6751
030 : 0D 0A         


-- 
Michael Scheidell, CTO
SECNAP Network Security / www.secnap.com
scheidell at ...249...  / 1+561-999-5000, x 1131





More information about the Snort-sigs mailing list