[Snort-users] W32.Novarg.A at ...4138... worm Work!, but....

Snortty cwcwcwg at ...131...
Mon Feb 2 10:10:14 EST 2004


I did add this rule below to my virus.rules file last
week thanks to this Snor-Users suggesting, and
activated this rule from snort.conf file, It works
detecting some REAL infected machines.

alert tcp any any -> any any (msg: "W32.Novarg.A at ...4138...
worm"; content: "represented in 7-bit ASCII"; nocase;

But, later on, some alerts showing Severity level
MEDIUM, others showing LOW, by this SAME rule. Can
someone tell me WHY please?

Thanks a lot again. 


Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!

More information about the Snort-users mailing list