[Snort-sigs] Rule for MSWord GinWin.

Ureleet Ureleet ureleet at ...2420...
Tue May 23 04:32:17 EDT 2006

I have written a rule to detect the MS Word virus GinWin vulnerability
on our network, and am sharing with community.

It's not the best rule, and I hope VRT comes out with something
better, but this rule basically looks for the dns queries that the
virus performs.

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS
GinWui infected host"; content:"|01 00|"; offset:2; depth:2;

Please review.

More information about the Snort-sigs mailing list