experience with snort sig :"ET TROJAN Dropper-497 (Yumato) Initial Checkin"

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

Anyone have any feeling for how reliable this one is?   Sig picks up
packets dsize:5; content:"|30 30 30 0d 0a|" i.e. packets with exactly
5 characters "000<cr><lf>".

We got a couple of hits on it last night to a machine on a broadband
network in China.  I've asked someone to have a look at the box but
thought I'd ask if anyone had any experience with this rule.

Russell