Re: KLEZ

["Onie Camara" <neil () restricted dyndns org>]

So for smtp, the rule would be:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"Virus - KLEZ on incoming
mail";
content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAA"; sid:720;
classtype:misc-activity; rev:3; resp:rst_all;)

----- Original Message -----
From: "Alejandro Flores" <aflores () ipad com br>
To: <snort-users () lists sourceforge net>
Sent: Thursday, April 25, 2002 4:38 PM
Subject: [Snort-users] KLEZ


> Hi all,
>
> Having a look at those KLEZ virus I'm receiving every day, I found that
> the start of the attachment is always the same:
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>
AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
> ZGUuDQ0KJAAAAAAAAA
>
> Let me know if I'm right and if with this rule we can block this out:
>
>
> alert tcp any 110 -> any any (msg:"Virus - KLEZ";
> content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAA"; sid:720;
> classtype:misc-activity; rev:3; resp:rst_all;)
>
> I'm testing it on pop3, but I think that it will have to be working on
> smtp.
>
> See ya,
> Alejandro Flores
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users