[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Quick rule for Gone.A Worm
From:       Sam <sam () neuroflux ! com>
Date:       2001-12-04 21:24:48
[Download RAW message or body]

I've whipped up a quick rule to report any Gone.A infections.  Feel free
to use at your own risk. :)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "Virus - Gone.A Worm";
content: "gone.scr"; content: "When I saw this screen saver"; rev:1;
flags: A+;)

I left the destination port to any since the virus could potentially come
in via people sending the virus out via SMTP, people getting the virus via
Web Mail (port 80) and people getting the virus via POP or IMAP.

-Sam



_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[prev in list] [next in list] [prev in thread] [next in thread]