Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Witty worm sig

From: "Dave Ellingsberg" <dave.ellingsberg () csu mnscu edu>
Date: Mon, 22 Mar 2004 09:07:24 -0600
I have tested this on our internet access point and it gets the attack
everytime.  May need some more tweaking as more info comes out.  

alert udp $HOME_NET 4000 -> any any (msg:"EXPER Witty worm Possible
connection"; content:"witty message"; offset: 128; depth: 144; sid:
99998;)

Using the $HOME_NET limits alerts to only infected hosts on my network.
 Replacing it with any will give you data to refine the rule.  We are
seeing in excess of 500 inbound per minute.

bigfoot


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: