[Snort-users] W32.Novarg.A at ...4138... worm Work!, but....

Snortty cwcwcwg at ...131...
Mon Feb 2 10:10:14 EST 2004


All, 

I did add this rule below to my virus.rules file last
week thanks to this Snor-Users suggesting, and
activated this rule from snort.conf file, It works
detecting some REAL infected machines.

alert tcp any any -> any any (msg: "W32.Novarg.A at ...4138...
worm"; content: "represented in 7-bit ASCII"; nocase;
sid:1000569;)


But, later on, some alerts showing Severity level
MEDIUM, others showing LOW, by this SAME rule. Can
someone tell me WHY please?

Thanks a lot again. 

Snortlover. 

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/




More information about the Snort-users mailing list