Snort mailing list archives
Re: Klez Incoming
From: "Jacob Redding" <Jacob () wiredgeek com>
Date: Wed, 13 Nov 2002 13:35:56 -0800 (PST)
Shane, The rule is found in virus.rules alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; flow:to_server,established; dsize:>120; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:2;) Below is a copy-paste job from acid minus names and word content to protect the innocent ;) 4th row contains the offending code. We use sybari Antigen for exchange. it did not report this particular message as infected, our virus defs are up to date and it has reported others. <snip..snip> Content-Type: audio/x-midi;...name=Address Book.pfc.scr.. Content-Transfer-Encoding: base64..Content-ID: <ML572Y3j6iy3X>....TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9 ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v..ZGUuDQ0KJAAAAAAAAABxd Tv8NRRVrzUUVa81FFWvTghZrzEUVa+2CFuvNxRVr90LX68gFFWv3QtR..rzcUVa9 XC0avPhRVrzUUVK+OFFWv3QterzoUVa+NElOvNBRVr1JpY2g1FFWvAAAAAAAAAFV QRQA <snip>
We average about 30-40 per day with around 1000 accounts. Just to make sure, which rule are you using? If you've got a copy of a email that snort caught and your AV didn't, I'd be interested in seeing a copy. On Wed, 13 Nov 2002, Jacob Redding wrote:Everyday I am receiving about 2-3 "VIRUS Klez Incoming" alerts from snort, but our virus protection program is not picking it up. I believe this is a false positive as our virus defs are up to date. Before I rule this as a false positive or start digging through peoples mailboxes (privacy policy, blah blah), has any else had this experience??-- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | Systems Administrator UT-GSLIS =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () gslis utexas edu Therefore this is not a syllogism | www.gslis.utexas.edu/~shanew
------------------------------------------------------- This sf.net email is sponsored by: Are you worried about your web server security? Click here for a FREE Thawte Apache SSL Guide and answer your Apache SSL security needs: http://www.gothawte.com/rd523.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Klez Incoming Jacob Redding (Nov 13)
- RE: Klez Incoming Gene Gomez (Nov 13)
- Re: Klez Incoming Shane Williams (Nov 13)
- Re: Klez Incoming Jacob Redding (Nov 13)
- Re: Klez Incoming Shane Williams (Nov 14)
- Re: Klez Incoming Jacob Redding (Nov 13)
- <Possible follow-ups>
- RE: Klez Incoming Jim O'Donald (Nov 13)
- RE: Klez Incoming Sean T. Ballard (Nov 14)
- RE: Klez Incoming Kreimendahl, Chad J (Nov 14)