[Snort-sigs] Rule for MSWord GinWin.

Ureleet Ureleet ureleet at ...2420...
Tue May 23 04:32:17 EDT 2006


I have written a rule to detect the MS Word virus GinWin vulnerability
on our network, and am sharing with community.

It's not the best rule, and I hope VRT comes out with something
better, but this rule basically looks for the dns queries that the
virus performs.

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS
GinWui infected host"; content:"|01 00|"; offset:2; depth:2;
pcre:"/((\x05scfzf\x04xicp\x03net)|(\x0alocalhosts\x043322\x03org))/Ri";
rev:1;)

Please review.




More information about the Snort-sigs mailing list