Snort mailing list archives
scr Worm - false alarms
From: Wolfgang Rohdewald <wr6 () uni de>
Date: Mon, 28 Jan 2002 05:50:05 +0100
this string results in a warning: 65 69 76 65 64 3A 20 66 72 6F 6D 20 61 64 73 6C eived: from adsl 2D 36 34 2D 31 36 34 2D 33 36 2D 35 37 2E 64 73 -64-164-36-57.ds 6C 2E 73 63 72 6D 30 31 2E 70 61 63 62 65 6C 6C l.scrm01.pacbell 2E 6E 65 74 20 28 48 45 4C 4F 20 64 73 6C 2E 6C .net (HELO dsl.l 6F 63 61 6C 29 20 28 72 6F 6F 74 40 36 34 2E 31 ocal) (root@64.1 caused by this rule: alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: ".scr"; nocase; sid:729; classtype:misc-activity; rev:3;) Is it possible to change this rule such that .scr only triggers if not followed by other characters? Supposing an extension like .scrm cannot carry that virus - which I am not certain of. Wolfgang _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- scr Worm - false alarms Wolfgang Rohdewald (Jan 27)
- Re: scr Worm - false alarms Frank Knobbe (Feb 03)
- Re: scr Worm - false alarms Wolfgang Rohdewald (Feb 04)
- Re: scr Worm - false alarms Frank Knobbe (Feb 03)