[Snort-users] welchia rule

Schmehl, Paul L pauls at ...6838...
Tue Nov 4 07:45:37 EST 2003


> -----Original Message-----
> From: David Omar Ortega Aranda [mailto:dortega at ...10460...] 
> Sent: Monday, November 03, 2003 5:51 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] welchia rule
> 
> Do any of you have a good working Welchia virus signature?

# This rule is for tracking Nachi infections
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!";
content: "|aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8;
icode: 0; \
 classtype:trojan-activity; sid: 10000008; rev: 1;)

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 




More information about the Snort-users mailing list