Hosting Provided By

Re: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a? .....can you give me some pointers. (fwd)

From: Dale L. Handy <dhandy(at)nitrodata.com>
Date: Tue May 20 2003 - 17:44:52 EDT

I think you just need to 'escape' the colon (:), i.e., put a backslash (\) in front of it:

alert tcp $EXTERNAL_NET any -> any 25 \
(flow:to_server,established;\
content:"From\:support@microsoft.com";nocase;\ content:"| 2E 70 69 66 |"; distance: 4; within: 4;\ byte_test: 4, >, 15,0,relative,string;\
msg:"Incoming manhkX worm to mail server";)

I am not where I can test it right now, but I'll try to do so later...

daniel.clemens wrote:

>I was playing around last night with some of these rules hoping to get

-- 
"The trouble with doing something right the first time 
 is that nobody appreciates how difficult it was."

-- Dale L. Handy, P.E.
   dale@srv.net          (208) 552-5332 (work)          (208) 403-6424 (cell)




-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. 
http://www.objectstore.net/sourceforge
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Tue May 20 18:29:28 2003

This message: [ Message body ]
Next message: Moyer, Shawn: "RE: [Snort-sigs] Ultimate Rule List"
Previous message: Magnus Larsson: "RE: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?"
In reply to daniel.clemens: "RE: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a? .....can you give me some pointers. (fwd)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:29 EDT