Fwd: [Snort-sigs] Rule for MSWord GinWin.

Ureleet Ureleet ureleet at ...2420...
Tue May 23 06:19:08 EDT 2006


---------- Forwarded message ----------
From: rmkml <rmkml at ...324...>
Date: May 23, 2006 9:16 AM
Subject: Re: [Snort-sigs] Rule for MSWord GinWin.
To: Ureleet Ureleet <ureleet at ...2420...>


possible add -b option on cmd line ? (temporarily)


On Tue, 23 May 2006, Ureleet Ureleet wrote:

> Date: Tue, 23 May 2006 09:13:28 -0400
> From: Ureleet Ureleet <ureleet at ...2420...>
> To: rmkml <rmkml at ...324...>
> Subject: Re: [Snort-sigs] Rule for MSWord GinWin.
>
> Nope.
>
> On 5/23/06, rmkml <rmkml at ...324...> wrote:
>> Hi,
>> thx,
>> do you have snort output or pcap file ?
>> Best Regards
>> Rmkml
>>
>>
>> On Tue, 23 May 2006, Ureleet Ureleet wrote:
>>
>> > Date: Tue, 23 May 2006 07:31:27 -0400
>> > From: Ureleet Ureleet <ureleet at ...2420...>
>> > To: snort-sigs at lists.sourceforge.net
>> > Subject: [Snort-sigs] Rule for MSWord GinWin.
>> >
>> > I have written a rule to detect the MS Word virus GinWin vulnerability
>> > on our network, and am sharing with community.
>> >
>> > It's not the best rule, and I hope VRT comes out with something
>> > better, but this rule basically looks for the dns queries that the
>> > virus performs.
>> >
>> > alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"COMMUNITY VIRUS
>> > GinWui infected host"; content:"|01 00|"; offset:2; depth:2;
>> > pcre:"/((\x05scfzf\x04xicp\x03net)|(\x0alocalhosts\x043322\x03org))/Ri";
>> > rev:1;)
>> >
>> > Please review.
>> >
>> >
>> > -------------------------------------------------------
>> > Using Tomcat but need to do more? Need to support web services, security?
>> > Get stuff done quickly with pre-integrated technology to make your job
>> easier
>> > Download IBM WebSphere Application Server v.1.0.1 based on Apache
>> Geronimo
>> > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> > _______________________________________________
>> > Snort-sigs mailing list
>> > Snort-sigs at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> >
>>
>




More information about the Snort-sigs mailing list