[Snort-users] NetSky worm signature definition...!!!

Tim Hergert thergert at ...11240...
Thu Feb 19 14:52:03 EST 2004


Having a portion that is a mass mailer, you'll see it come in on port 25 for
sure . . . 

Using Matt Kettler's suggestion, I quickly kluged together a rule using the
clam av signature
http://www.clamav.net/

However, the old Klez detection rule seems to be triggered by NetSky, and
the log times seem to correlate exactly with the logs from the antivirus
software on the mail server.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming";
flow:to_server,established; dsize:>120;content:"MIME";
content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:3;)

Seems to work well for me, but maybe I'm just lucky.


-----Original Message-----
From: Semerjian, Ohanes [mailto:ohanes.semerjian at ...8907...]
Sent: February 18, 2004 8:23 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] NetSky worm signature definition...!!!


Hello all, 
Just was wondering if any one had this latest worm signature defined or know
it works (like which port, protocol it uses )
Best Regards 
Ohanes Semerjian 




More information about the Snort-users mailing list