[Snort-users] scr Worm - false alarms

Wolfgang Rohdewald wr6 at ...4412...
Sun Jan 27 20:48:02 EST 2002


this string results in a warning:

65 69 76 65 64 3A 20 66 72 6F 6D 20 61 64 73 6C  eived: from adsl
2D 36 34 2D 31 36 34 2D 33 36 2D 35 37 2E 64 73  -64-164-36-57.ds
6C 2E 73 63 72 6D 30 31 2E 70 61 63 62 65 6C 6C  l.scrm01.pacbell
2E 6E 65 74 20 28 48 45 4C 4F 20 64 73 6C 2E 6C  .net (HELO dsl.l
6F 63 61 6C 29 20 28 72 6F 6F 74 40 36 34 2E 31  ocal) (root at ...4700...

caused by this rule:

alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: 
".scr"; nocase;
sid:729;  classtype:misc-activity; rev:3;)


Is it possible to change this rule such that .scr only triggers if
not followed by other characters? Supposing an extension like .scrm
cannot carry that virus - which I am not certain of.

Wolfgang






More information about the Snort-users mailing list