Snort mailing list archives
RE: welchia rule
From: "Leonard Miller" <Leonard.Miller () udlp com>
Date: Tue, 04 Nov 2003 14:38:52 -0600
Would it matter if the payload was aaaaaaaaaaaaaaaaaaaa and not aaaa aaaa aaaa aaaa The reason I ask is that I saw on arachNIDS that the rule was a little different and picked up as CyberKit 2.2 Windows Thanks Leonard Automatically inserted lawyer supplied blurb follows
"Leonard Miller" <Leonard.Miller () udlp com> 11/04/03 12:10PM >>>
Hi, I just started using snort. In order to use this rule, do I just add that to the virus.rules file and enable the rule in snort.conf? If I should start with something a little more simple, let me know. Thanks Leonard Automatically inserted lawyer supplied blurb follows.
"Schmehl, Paul L" <pauls () utdallas edu> 11/04/03 10:44AM >>>-----Original Message----- From: David Omar Ortega Aranda [mailto:dortega () uacj mx] Sent: Monday, November 03, 2003 5:51 PM To: snort-users () lists sourceforge net Subject: [Snort-users] welchia rule Do any of you have a good working Welchia virus signature?
# This rule is for tracking Nachi infections alert icmp $HOME_NET any -> any any (msg: "ALERT!!! NACHI Infection!!"; content: "|aaaa aaaa aaaa\ aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa\ aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; \ classtype:trojan-activity; sid: 10000008; rev: 1;) Paul Schmehl (pauls () utdallas edu) **********CONFIDENTIALITY NOTICE********** The information contained in this e-mail may be proprietary and/or privileged and is intended for the sole use of the individual or organization named above. If you are not the intended recipient or an authorized representative of the intended recipient, any review, copying or distribution of this e-mail and its attachments, if any, is prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete this message from your system. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- welchia rule David Omar Ortega Aranda (Nov 04)
- <Possible follow-ups>
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Leonard Miller (Nov 04)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Leonard Miller (Nov 04)
- RE: welchia rule John Impallomeni (Nov 04)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- A tool like swatch Sir Fenix (Nov 06)
- Re: [Snort-sigs] A tool like swatch Matt Kettler (Nov 05)
- Re: Re: [Snort-sigs] A tool like swatch Edin Dizdarevic (Nov 05)
- Re: [Snort-sigs] A tool like swatch Sir Fenix (Nov 06)
- Re: A tool like swatch Jim Brown (Nov 08)
- A tool like swatch Sir Fenix (Nov 06)
- RE: welchia rule Schmehl, Paul L (Nov 04)
- RE: welchia rule Mark . Schutzmann (Nov 05)
- RE: welchia rule Schmehl, Paul L (Nov 05)