Snort mailing list archives

Previous By Date Next
Previous By Thread Next

BadTrans Rule

From: Jim Forster <jforster () rapidnet com>
Date: Thu, 29 Nov 2001 08:49:52 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I kicked up a 'test' rule for this last night, and it one lit up my logs on 
all the incoming copies, might be of use to some of you.

alert tcp any 110 -> any any (msg:"BETA--BadTrans.B Detected--"; 
content:"audio/x-wav"; content:"ABC1234567890DEF"; nocase;)

I like it because the alerts contain the full header, as well as the 
attachment name.  (nice to watch for alterations to the strain).

- -----------------------------------------------------
Jim Forster
Network Administrator
RapidNet, A Golden West Company
- -----------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPAZZIIm0Gn1R8/mJEQLjngCg6qiZgduTLjHS8UVYl4OgyzrjrSMAoPsA
cqyjP67OYrPaQTcGPhgzKqAw
=paWP
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: