Re: Atak worm detection?

From: Florian Huber (florian.huber@scaltel.de)
Date: 07/15/04

• Next message: Kevin Kawaguchi: "sflow mib and hp ov 6.2"
• Previous message: Les Yaw: "Atak worm detection?"
• Maybe in reply to: Les Yaw: "Atak worm detection?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Hello, Les!

Can't you simply split up the expression in two rules? - I just had to change the sid, since inmon complaint for duplicate sid.

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Atak.mm Worm Outbound"; content:"Authorized Researcher Only"; content:"\ Read\ the\ Result\!"; content:"filename="; content:".zip"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html; sid:2000494; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Possible Atak.mm Worm Outbound"; content:"Authorized Researcher Only"; content:"\ Important\ Data\!"; content:"filename="; content:".zip"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.atak@mm.html; sid:2000495; rev:1;)

Florian T. Huber (System-Engineer OMC)
Scaltel        Network technology - Kommunikation technology - IT Services - Radio relay links
Networks

• Next message: Kevin Kawaguchi: "sflow mib and hp ov 6.2"
• Previous message: Les Yaw: "Atak worm detection?"
• Maybe in reply to: Les Yaw: "Atak worm detection?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.4 : 07/15/04 PDT