RE: [Snort-users] NetSky worm signature definition...!!!

Having a portion that is a mass mailer, you'll see it come in on port 25 for
sure . . .

Using Matt Kettler's suggestion, I quickly kluged together a rule using the
clam av signature
http://www.clamav.net/

However, the old Klez detection rule seems to be triggered by NetSky, and
the log times seem to correlate exactly with the logs from the antivirus
software on the mail server.

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming";
flow:to_server,established; dsize:>120;content:"MIME";
content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:3;)

Seems to work well for me, but maybe I'm just lucky.


-----Original Message-----
From: Semerjian, Ohanes [mailto:ohanes.semerjian@au.mci.com]
Sent: February 18, 2004 8:23 PM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] NetSky worm signature definition...!!!


Hello all,
Just was wondering if any one had this latest worm signature defined or know
it works (like which port, protocol it uses )
Best Regards
Ohanes Semerjian


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users