Snort mailing list archives

Previous By Date Next
Previous By Thread Next

scr Worm - false alarms

From: Wolfgang Rohdewald <wr6 () uni de>
Date: Mon, 28 Jan 2002 05:50:05 +0100
this string results in a warning:

65 69 76 65 64 3A 20 66 72 6F 6D 20 61 64 73 6C  eived: from adsl
2D 36 34 2D 31 36 34 2D 33 36 2D 35 37 2E 64 73  -64-164-36-57.ds
6C 2E 73 63 72 6D 30 31 2E 70 61 63 62 65 6C 6C  l.scrm01.pacbell
2E 6E 65 74 20 28 48 45 4C 4F 20 64 73 6C 2E 6C  .net (HELO dsl.l
6F 63 61 6C 29 20 28 72 6F 6F 74 40 36 34 2E 31  ocal) (root@64.1

caused by this rule:

alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: 
".scr"; nocase;
sid:729;  classtype:misc-activity; rev:3;)


Is it possible to change this rule such that .scr only triggers if
not followed by other characters? Supposing an extension like .scrm
cannot carry that virus - which I am not certain of.

Wolfgang



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: