Snort mailing list archives
RE: pif WORM?
From: "Hawrylkiw, Dan G" <dan.g.hawrylkiw () intel com>
Date: Mon, 13 Aug 2001 13:36:25 -0700
It's likely to be the W32.Sircam virus. It is sent through email as attached .pif files. The snort homepage has rules to trigger on the email text if you wanted to get more specific alerts. I'm getting about two SirCam's per day at home.. Sadly, most are from members of the InfoSec mailings lists that I belong to.. (I don't think any are from this list, though :-) Some people's kids!!... /Dan Hawrylkiw -----Original Message----- From: john.ruff () us abb com [mailto:john.ruff () us abb com] Sent: Monday, August 13, 2001 10:52 AM To: snort-users () lists sourceforge net Subject: [Snort-users] pif WORM? Anyone have specific deatils rergarding this entry in my ALERT_FULL snort lof file: [**] [1:721:1] Virus - Possible pif Worm [**] 08/13-13:24:12.370939 207.217.120.162:110 -> 130.110.95.77:1417 TCP TTL:42 TOS:0x0 ID:63795 IpLen:20 DgmLen:1044 ***AP*** Seq: 0xAC838C68 Ack: 0x14BBA Win: 0xFAF0 TcpLen: 20 [**] [1:729:1] Virus - Possible scr Worm [**] 08/13-13:24:38.676198 207.217.120.162:110 -> 130.110.95.77:1417 TCP TTL:42 TOS:0x0 ID:64225 IpLen:20 DgmLen:1051 ***A**** Seq: 0xAC898900 Ack: 0x14CA4 Win: 0xFAF0 TcpLen: 20 Thanks, John _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- pif WORM? john . ruff (Aug 13)
- Re: pif WORM? Mike Baptiste (Aug 13)
- <Possible follow-ups>
- RE: pif WORM? Anthony Geoffron (Aug 13)
- RE: pif WORM? Hawrylkiw, Dan G (Aug 13)
- RE: pif WORM? Hawrylkiw, Dan G (Aug 13)