Snort mailing list archives
Re: Fizzer Virus Signature
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 15 May 2003 11:25:50 +1200
On Wed, May 14, 2003 at 07:01:01PM +0200, operator wrote:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"W32.HLLW.Fizzer@mm SMTP Trojan Attempt"; flow:to_server,established; content:"AHMAZQByAHYAYwAuAGUAeABl";\ reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.fizz er () mm html; classtype: trojan-activity; sid:1000004; rev:1;)
First thing that should be fixed is to add a 'content:"Content-Type: xxx"' to the SMTP rules. Otherwise these messages (this one included!) will trigger the alert. It should be a "Content-Type: application/" or the like... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fizzer Virus Signature Jeremy Junginger (May 13)
- <Possible follow-ups>
- Fizzer Virus Signature Jeremy Junginger (May 13)
- Re: Fizzer Virus Signature Chris Keladis (May 14)
- RE: Fizzer Virus Signature L. Christopher Luther (May 13)
- RE: Fizzer Virus Signature operator (May 14)
- Re: Fizzer Virus Signature Jason Haar (May 14)