[Snort-users] Fizzer Virus Signature

Jason Haar Jason.Haar at ...294...
Wed May 14 16:26:07 EDT 2003


On Wed, May 14, 2003 at 07:01:01PM +0200, operator wrote:
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"W32.HLLW.Fizzer at ...4138...
> SMTP Trojan Attempt"; flow:to_server,established;
> content:"AHMAZQByAHYAYwAuAGUAeABl";\
> reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizz
> er at ...3071...; classtype: trojan-activity; sid:1000004; rev:1;)

First thing that should be fixed is to add a 'content:"Content-Type: xxx"'
to the SMTP rules. Otherwise these messages (this one included!) will
trigger the alert.

It should be a "Content-Type: application/" or the like...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list