Re: Fizzer Virus Signature

[Jason Haar <Jason.Haar () trimble co nz>]

On Wed, May 14, 2003 at 07:01:01PM +0200, operator wrote:
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"W32.HLLW.Fizzer@mm
> SMTP Trojan Attempt"; flow:to_server,established;
> content:"AHMAZQByAHYAYwAuAGUAeABl";\
> reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizz
> er () mm html; classtype: trojan-activity; sid:1000004; rev:1;)

First thing that should be fixed is to add a 'content:"Content-Type: xxx"'
to the SMTP rules. Otherwise these messages (this one included!) will
trigger the alert.

It should be a "Content-Type: application/" or the like...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users