[Snort-users] NetSky worm signature definition...!!!
thergert at ...11240...
Thu Feb 19 14:52:03 EST 2004
Having a portion that is a mass mailer, you'll see it come in on port 25 for
sure . . .
Using Matt Kettler's suggestion, I quickly kluged together a rule using the
clam av signature
However, the old Klez detection rule seems to be triggered by NetSky, and
the log times seem to correlate exactly with the logs from the antivirus
software on the mail server.
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming";
content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:3;)
Seems to work well for me, but maybe I'm just lucky.
From: Semerjian, Ohanes [mailto:ohanes.semerjian at ...8907...]
Sent: February 18, 2004 8:23 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] NetSky worm signature definition...!!!
Just was wondering if any one had this latest worm signature defined or know
it works (like which port, protocol it uses )
More information about the Snort-users