[Snort-users] welchia rule

Leonard Miller Leonard.Miller at ...7710...
Tue Nov 4 09:12:02 EST 2003


Hi,
I just started using snort.  In order to use this rule, do I just add
that
to the virus.rules file and enable the rule in snort.conf?
If I should start with something a little more simple, let me know.

Thanks
Leonard
Automatically inserted lawyer supplied blurb follows.


>>> "Schmehl, Paul L" <pauls at ...6838...> 11/04/03 10:44AM >>>
> -----Original Message-----
> From: David Omar Ortega Aranda [mailto:dortega at ...10460...] 
> Sent: Monday, November 03, 2003 5:51 PM
> To: snort-users at lists.sourceforge.net 
> Subject: [Snort-users] welchia rule
> 
> Do any of you have a good working Welchia virus signature?

# This rule is for tracking Nachi infections
alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI
Infection!!";
content: "|aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
aaaa aaaa aaaa aaaa aaaa\
 aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8;
icode: 0; \
 classtype:trojan-activity; sid: 10000008; rev: 1;)

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 




**********CONFIDENTIALITY NOTICE**********
The information contained in this e-mail may be proprietary and/or 
privileged and is intended for the sole use of the individual or 
organization named above.  If you are not the intended recipient or an 
authorized representative of the intended recipient, any review, copying
or distribution of this e-mail and its attachments, if any, is prohibited.
If you have received this e-mail in error, please notify the sender
immediately by return e-mail and delete this message from your system.





More information about the Snort-users mailing list