Snort mailing list archives

Re: Witty worm sig

From: Tod Beardsley <todb () planb-security net>
Date: Tue, 23 Mar 2004 08:26:03 -0600

Dave Ellingsberg wrote:

I have tested this on our internet access point and it gets the
attack everytime.  May need some more tweaking as more info comes
out.


There are more accurate signatures now available through Oinkmaster, 
posted on snort-sigs. However, I like simple sigs like the one you 
posted -- it does the job of picking out this first worm variant, and 
it's e-z-2-read, which I find valuable.

-- 
"It's okay to yell 'fire' in a crowded theater
if the theater is actually on fire."
Tod Beardsley | www.planb-security.net



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Witty worm sig Dave Ellingsberg (Mar 23)
- Re: Witty worm sig Tod Beardsley (Mar 23)