Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SID 39379 Norton Antivirus ASPack

From: Y M <snort () outlook com>
Date: Mon, 13 Feb 2017 20:10:58 +0000
A similar question came up the other day. This is a gid:3 rule, a Shared Object rule. The detection part is actually a 
compiled code and what you see is the rule stub. The flowbits is set by another rule to make sure that the detection 
alerts on executable files.

https://www.snort.org/faq/shared-object-rules

YM


________________________________
From: Charlie Dyer <charlierwdyer () gmail com>
Sent: Monday, February 13, 2017 11:01:50 PM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] SID 39379 Norton Antivirus ASPack

Hello list

Could anyone shed light on the rule 39379?

I can't see any content matching, it simply alerts on any file that is an executable being downloaded, is that right?
If so, what has this got to do with Norton Antivirus?

Many thanks in advance.

Charlie

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: