Fwd: [Snort-sigs] Rule for MSWord GinWin.

Ureleet Ureleet ureleet at ...2420...
Tue May 23 06:14:28 EDT 2006


---------- Forwarded message ----------
From: rmkml <rmkml at ...324...>
Date: May 23, 2006 7:59 AM
Subject: Re: [Snort-sigs] Rule for MSWord GinWin.
To: Ureleet Ureleet <ureleet at ...2420...>


Hi,
thx,
do you have snort output or pcap file ?
Best Regards
Rmkml


On Tue, 23 May 2006, Ureleet Ureleet wrote:

> Date: Tue, 23 May 2006 07:31:27 -0400
> From: Ureleet Ureleet <ureleet at ...2420...>
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Rule for MSWord GinWin.
>
> I have written a rule to detect the MS Word virus GinWin vulnerability
> on our network, and am sharing with community.
>
> It's not the best rule, and I hope VRT comes out with something
> better, but this rule basically looks for the dns queries that the
> virus performs.
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS
> GinWui infected host"; content:"|01 00|"; offset:2; depth:2;
> pcre:"/((\x05scfzf\x04xicp\x03net)|(\x0alocalhosts\x043322\x03org))/Ri";
> rev:1;)
>
> Please review.
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list