I like that better than the one I was using. Too many false positives. I had a copy of the virus, I was thinking about trying to do a signature based on binary content, but I'm not nearly clever enough.
-- be - MOS Never let someone who says it cannot be done interrupt the person who is doing it. > -----Original Message----- > From: Koos Jacobs [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 04, 2001 2:28 PM > To: Exchange Discussions > Subject: RE: New Virus outbreak - OT on snort > > > > alert tcp any any -> any 25 (msg:"Virus - Possible Gone.scr";content: > "name=\"gone.scr\""; nocase; rev:1; resp:rst_all;) > > That is what I am using... > > > -----Original Message----- > From: Byron Kennedy [mailto:[EMAIL PROTECTED]] > Posted At: Tuesday, December 04, 2001 9:18 PM > Posted To: Exchange > Conversation: New Virus outbreak - OT on snort > Subject: RE: New Virus outbreak - OT on snort > > yes. do you have a rule that is catching gone_A and pulling > the frames > off > the wire? > > -----Original Message----- > From: Koos Jacobs [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 04, 2001 10:39 AM > To: Exchange Discussions > Subject: RE: New Virus outbreak > > > Don't you guys use an Intrusion Detection Package......something like > Snort??? > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
