[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: Re: [Bleeding-sigs] New sigs
From: Matt Jonkman <mjonkman () infotex ! com>
Date: 2006-07-25 23:16:33
Message-ID: 44C6A651.7080806 () infotex ! com
[Download RAW message or body]
We're looking into it, that's very possible. :)
Matt
Jack Pepper wrote:
>>
>> #These sigs are for the unique things that spam bots do in how they talk
>> #Submitted by Scott Melnick
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
>> Suspicious SMTP EHLO Outbound - Possible Bot";
>> flow:to_server,established; content:"EHLO billy"; nocase;
>> classtype:trojan-activity; sid:2003049; rev:1;)
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS
>> Suspicious SMTP EHLO Intbound - Possible Bot";
>> flow:to_server,established; content:"EHLO billy"; nocase;
>> classtype:trojan-activity; sid:2003050; rev:1;)
>
> Is the "billy" hardwired in the exe? or is that the hostname of the lab
> system that created the packet dump? I had some other traces that had
> "billy" in them, but when I ran them on my net, it used my hostname
> instead.
>
> jp
>
> -------------------------------------------------
> Email solutions, MS Exchange alternatives and extrication,
> security services, systems integration.
> Contact: services@doctorunix.com
>
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort.com
--------------------------------------------
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic