[Snort-sigs] SID 39379 Norton Antivirus ASPack

Y M snort at ...3751...
Mon Feb 13 15:10:58 EST 2017

A similar question came up the other day. This is a gid:3 rule, a Shared Object rule. The detection part is actually a compiled code and what you see is the rule stub. The flowbits is set by another rule to make sure that the detection alerts on executable files.



From: Charlie Dyer <charlierwdyer at ...2420...>
Sent: Monday, February 13, 2017 11:01:50 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] SID 39379 Norton Antivirus ASPack

Hello list

Could anyone shed light on the rule 39379?

I can't see any content matching, it simply alerts on any file that is an executable being downloaded, is that right?
If so, what has this got to do with Norton Antivirus?

Many thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170213/782ee751/attachment.html>

More information about the Snort-sigs mailing list