Snort mailing list archives

Re: Black/Nyxem

From: Frank Knobbe <frank () knobbe us>
Date: Thu, 26 Jan 2006 14:21:22 -0600

On Thu, 2006-01-26 at 12:04 -0600, Ron Jenkins wrote:

On the below rule, does anyone show the payload as:

GET /cgi-bin/Count.cgi?df=765247 HTTP/1.1..Accept: */*..Referer:
http://www.snort.org/rules/advisories/vrt-rules-2006-01-25.html.


The virus doesn't send a Referer request header, so this is a false
positive. Use the BleedingSnort rule 2002788 instead. We specifically
exclude the Referer.

Regards,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Black/Nyxem Ron Jenkins (Jan 26)
- Re: Black/Nyxem Kevin Ponds (Jan 26)
- WINSNORT.com - Announcing new WinIDS Guides for 2006 Michael Steele (Jan 26)
- Re: Black/Nyxem Frank Knobbe (Jan 26)
  - Re: Black/Nyxem Matthew Watchinski (Jan 26)