Snort mailing list archives
Re: scr Worm - false alarms
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 03 Feb 2002 14:48:58 -0600
On Sun, 2002-01-27 at 22:50, Wolfgang Rohdewald wrote:
this string results in a warning: 65 69 76 65 64 3A 20 66 72 6F 6D 20 61 64 73 6C eived: from adsl 2D 36 34 2D 31 36 34 2D 33 36 2D 35 37 2E 64 73 -64-164-36-57.ds 6C 2E 73 63 72 6D 30 31 2E 70 61 63 62 65 6C 6C l.scrm01.pacbell 2E 6E 65 74 20 28 48 45 4C 4F 20 64 73 6C 2E 6C .net (HELO dsl.l 6F 63 61 6C 29 20 28 72 6F 6F 74 40 36 34 2E 31 ocal) (root@64.1 caused by this rule: alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: ".scr"; nocase; sid:729; classtype:misc-activity; rev:3;) Is it possible to change this rule such that .scr only triggers if not followed by other characters? Supposing an extension like .scrm cannot carry that virus - which I am not certain of.
I guess simply adding a 'content: "filename=";' would be enough. Take a look at the other rules in virus.rules and you see how they are 'refined'. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- scr Worm - false alarms Wolfgang Rohdewald (Jan 27)
- Re: scr Worm - false alarms Frank Knobbe (Feb 03)
- Re: scr Worm - false alarms Wolfgang Rohdewald (Feb 04)
- Re: scr Worm - false alarms Frank Knobbe (Feb 03)