Ai!!! To repassando pra voces uma dica para bloqeuar o virus MyDoom.
Adicione as seguintes linhas no fim do seu arquivo "virus.rules" do Snort (geralmente, se encontra em /etc/snort/ ). alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS - MyDoom/MIMAIL.R Outbound 1" ; content: "represented in 7-bit ASCII"; content: "Content-Type\: application/oc tet-stream"; content: "Content-Transfer-Encoding\: base64"; nocase; rev: 4; sid: 1000569; react: block, msg;) alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS - MyDoom/MIMAIL.R Outbound 2" ; content: "Mail transaction failed"; content: "Content-Type\: application/octet -stream"; content: "Content-Transfer-Encoding\: base64"; nocase; rev: 4; sid:100 0570; react: block, msg;) alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS - MyDoom/MIMAIL.R Outbound 3" ; content: "The message contains Unicode characters"; content: "Content-Type\: a pplication/octet-stream"; content: "Content-Transfer-Encoding\: base64"; nocase; rev: 4; sid:1000571; react: block, msg;) alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS - MyDoom/MIMAIL.R Variant Out bound 4"; content: "We are sorry your UTF-8 encoding is not supported by the ser ver"; nocase; rev: 1; sid:1000572; react: block, msg;) alert tcp any any -> $EXTERNAL_NET 25 (msg: "VIRUS - MyDoom/MIMAIL.R Outbound 5" ; content: "Content-Type\: multipart/mixed"; content: "Content-Transfer-Encoding \: 7bit"; nocase; rev: 4; sid:1000575; react: block, msg;) N�o esque�a de confirmar se vc tem a entrada da "virus.list" no seu snort.conf!! A entrada no fim do snort.conf deve ser assim: include virus.rules falow ______________________________________________________________________ Yahoo! GeoCities: a maneira mais f�cil de criar seu web site gr�tis! http://br.geocities.yahoo.com/ --------------------------------------------------------------------------- Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br Regras de utiliza��o da lista: http://linux-br.conectiva.com.br FAQ: http://www.zago.eti.br/menu.html
