[Snort-users] BugBear worm

Shane Williams shanew at ...5387...
Fri Jul 18 09:30:18 EDT 2003


Well, I would recommend looking at the headers of the messages
themselves, but if you really want a rule, check the archives from
around June 7-8.  There was an original rule suggestion, and I then
offered up a different content text that (from my experience) seemed
to be more tuned.

On Fri, 18 Jul 2003, Always Bishan wrote:

> Hi Snorters,
> 
> We have a client who are facing a BugBear worm attack
> in their network. They are not able to locate the
> source of this worms.
> Can we detect BugBear using SNort?
> Do we have rules to detect it?
> 
> Regards,
> BIshan
> 
> ________________________________________________________________________
> Want to chat instantly with your online friends?  Get the FREE Yahoo!
> Messenger http://uk.messenger.yahoo.com/
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
> same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...5387...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew





More information about the Snort-users mailing list