<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
Perhaps the reason is, “vbs rat” isn’t a specific attack, it’s a generic term.  We have lots of detection for Remote Access Tools, which<i> one</i> is really the question.
<div><br>
</div>
<div><br>
<div>
<div>On Jan 27, 2014, at 7:49 PM, Feroz Basir <<a href="mailto:feroz.basir@...11827...">feroz.basir@...11827...</a>> wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div style="font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
Hi again,<br>
<br>
Anybody knows? Please help. Thanks.<br>
<br>
<br>
Regards,<br>
Feroz Fazidi Bin Basir<br>
<br>
<blockquote type="cite">On 25 Jan 2014, at 19:34, Feroz Basir <<a href="mailto:feroz.basir@...11827...">feroz.basir@...11827...</a>> wrote:<br>
<br>
Hi all,<span class="Apple-converted-space"> </span><br>
<br>
Anybody knows which rule that vrt uses for detecting VBS RAT threat? Im sniffing proxy packet which I think change the packet.<br>
<br>
Thanks.<br>
<br>
<br>
Regards,<br>
Feroz Basir<br>
</blockquote>
<br>
------------------------------------------------------------------------------<br>
CenturyLink Cloud: The Leader in Enterprise Cloud Services.<br>
Learn Why More Businesses Are Choosing CenturyLink Cloud For<br>
Critical Workloads, Development Environments & Everything In Between.<br>
Get a Quote or Start a Free Trial Today.<span class="Apple-converted-space"> </span><br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
<br>
Please visit<span class="Apple-converted-space"> </span><a href="http://blog.snort.org/">http://blog.snort.org</a><span class="Apple-converted-space"> </span>to stay current on all the latest Snort news!</div>
</blockquote>
</div>
<br>
</div>
</body>
</html>