[Snort-users] W32.Badtrans.B at ...4138...

Tom Fischer tfischer at ...4078...
Tue Nov 27 12:10:57 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am Dienstag, 27. November 2001 16:30 schrieben Sie:
> Brad:
>
> This seems to be doing it for me:
>
> alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm";
>   content: ".scr"; nocase; sid:729;  classtype:misc-activity; rev:3;)

yes, but mails with .scr in content (like this) are making nice false 
positives ;)

Tom
- -- 
Tom Fischer			ABH Marketingservice GmbH
System Administrator		Weisshaustraße 23a
Tel: 0221-94400446		50939 Köln	
http://www.abh.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjwDvigACgkQwafQrcfco8HgwQCfRih4uUrCiqVEwZ/L6lle0F4O
QooAmwYV7z0L8oW/yZaVhUp3MltEjRh9
=CRE2
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list