[Snort-users] W32.Novarg.A at ...4138... worm Work!, but....
cwcwcwg at ...131...
Mon Feb 2 10:10:14 EST 2004
I did add this rule below to my virus.rules file last
week thanks to this Snor-Users suggesting, and
activated this rule from snort.conf file, It works
detecting some REAL infected machines.
alert tcp any any -> any any (msg: "W32.Novarg.A at ...4138...
worm"; content: "represented in 7-bit ASCII"; nocase;
But, later on, some alerts showing Severity level
MEDIUM, others showing LOW, by this SAME rule. Can
someone tell me WHY please?
Thanks a lot again.
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
More information about the Snort-users