Snort mailing list archives
Re: Black/Nyxem
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 26 Jan 2006 14:21:22 -0600
On Thu, 2006-01-26 at 12:04 -0600, Ron Jenkins wrote:
On the below rule, does anyone show the payload as:
GET /cgi-bin/Count.cgi?df=765247 HTTP/1.1..Accept: */*..Referer: http://www.snort.org/rules/advisories/vrt-rules-2006-01-25.html.
The virus doesn't send a Referer request header, so this is a false positive. Use the BleedingSnort rule 2002788 instead. We specifically exclude the Referer. Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Black/Nyxem Ron Jenkins (Jan 26)
- Re: Black/Nyxem Kevin Ponds (Jan 26)
- WINSNORT.com - Announcing new WinIDS Guides for 2006 Michael Steele (Jan 26)
- Re: Black/Nyxem Frank Knobbe (Jan 26)
- Re: Black/Nyxem Matthew Watchinski (Jan 26)