Educause Security Discussion mailing list archives
experience with snort sig :"ET TROJAN Dropper-497 (Yumato) Initial Checkin"
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Mon, 18 May 2009 14:05:11 +1200
Anyone have any feeling for how reliable this one is? Sig picks up packets dsize:5; content:"|30 30 30 0d 0a|" i.e. packets with exactly 5 characters "000<cr><lf>". We got a couple of hits on it last night to a machine on a broadband network in China. I've asked someone to have a look at the box but thought I'd ask if anyone had any experience with this rule. Russell
Current thread:
- experience with snort sig :"ET TROJAN Dropper-497 (Yumato) Initial Checkin" Russell Fulton (May 17)
- <Possible follow-ups>
- Re: experience with snort sig :"ET TROJAN Dropper-497 (Yumato) Initial Checkin" McCrary, Barbara (May 18)