Atak worm detection?

• Previous message: neil mckee: "Re: sflow-tools"
• Next in thread: Florian Huber: "Re: Atak worm detection?"
• Maybe reply: Florian Huber: "Re: Atak worm detection?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

It's my understanding the SNORT-like feature of Trafficserver doesn't "do"
pcre. Is there some other way to detect the new Atak worm without needing
the pcre? We'd really love to be able to find this traffic ---
correction, we hope we NEVER see this traffic, but want to catch it asap.

Thanks,

Les Yaw
Luther College

The following is from the SNORT listserv - - -

Michael Sconzo sent us this rule, looks to be quite accurate.

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
Possible Atak.mm Worm Outbound"; content:"Authorized Researcher Only";
pcre:"m/(Read\ the\ Result\!|Important\ Data\!)/"; content:"filename=";
content:".zip";
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak
@mm.html; sid:2000494; rev:1;)

It's in the bleeding set. Thanks Michael

Matt

• Next message: Florian Huber: "Re: Atak worm detection?"
• Previous message: neil mckee: "Re: sflow-tools"
• Next in thread: Florian Huber: "Re: Atak worm detection?"
• Maybe reply: Florian Huber: "Re: Atak worm detection?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.4 : 07/15/04 PDT