Snort mailing list archives
Re: Rule for Sobig
From: Shane Williams <shanew () shanew net>
Date: Fri, 29 Aug 2003 10:39:14 -0500 (CDT)
On Fri, 29 Aug 2003, Timm Schneider wrote:
i got an Mailserver(official) behind my Iptables+Snort FW. I would like to filter the Sobig Worm on my Snort. How should i do that? Where i can find any rule for that? I become in an hour about 50 Mails with sobig on my Mailserver.
In general, looking at the snort-sigs mailing list archive is a good way to see if anyone has already come up with something. I sent the following to that list back on the 19th and I haven't heard anyone remark on false positives or negatives since then. alert tcp any any -> any 25 (msg:"Probable Sobig.F in SMTP";\ content:"VDvdKcYWznRbLRPadQ+V576YUs6FwBGG\ rYnr7cqYlLI9/9zwrfe9T0tMbFTdX2GmQfo7TrcECi9A";\ sid:9000019; classtype:misc-activity; rev:1;) If you find any false positives or negatives using this rule, please let me know. -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | System Admin - UT iSchool =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () shanew net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule for Sobig Timm Schneider (Aug 29)
- Re: Rule for Sobig Shane Williams (Aug 29)
- RE: Rule for Sobig D@7@K|N& (Aug 29)
- Re: Rule for Sobig Erek Adams (Aug 29)
- Re: Rule for Sobig Shane Williams (Aug 29)