[Snort-sigs] Rule for MSWord GinWin.
ureleet at ...2420...
Tue May 23 04:32:17 EDT 2006
I have written a rule to detect the MS Word virus GinWin vulnerability
on our network, and am sharing with community.
It's not the best rule, and I hope VRT comes out with something
better, but this rule basically looks for the dns queries that the
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS
GinWui infected host"; content:"|01 00|"; offset:2; depth:2;
More information about the Snort-sigs