Snort mailing list archives
BadTrans Rule
From: Jim Forster <jforster () rapidnet com>
Date: Thu, 29 Nov 2001 08:49:52 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I kicked up a 'test' rule for this last night, and it one lit up my logs on all the incoming copies, might be of use to some of you. alert tcp any 110 -> any any (msg:"BETA--BadTrans.B Detected--"; content:"audio/x-wav"; content:"ABC1234567890DEF"; nocase;) I like it because the alerts contain the full header, as well as the attachment name. (nice to watch for alterations to the strain). - ----------------------------------------------------- Jim Forster Network Administrator RapidNet, A Golden West Company - ----------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPAZZIIm0Gn1R8/mJEQLjngCg6qiZgduTLjHS8UVYl4OgyzrjrSMAoPsA cqyjP67OYrPaQTcGPhgzKqAw =paWP -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BadTrans Rule Jim Forster (Nov 29)