Hosting Provided By

RE: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?

From: Burak DAYIOGLU <dayioglu(at)metu.edu.tr>
Date: Wed May 21 2003 - 01:18:46 EDT

On Tue, 2003-05-20 at 18:04, Robert Reid wrote:
> Just loaded this rule on two sensors and immediately started gettings 1000's

Are you sure that the alerts are merely false positives? I believe that you are infected ;)

The below rule is one of the longest pattern matching rules in the whole snort ruleset, I don't suspect it to generate much false positives. (Actually, such long patterns *generally* cause false negatives at all :)

> alert tcp any any -> any 25 (msg:"Possible Palyh virus in SMTP"; \

with regards.

-- 
Burak DAYIOGLU
Phone: +90 312 2103379      Fax: +90 312 2103333
http://www.dayioglu.net        ICQ UIN: 72276975



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. 
http://www.objectstore.net/sourceforge
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Wed May 21 02:08:01 2003

This message: [ Message body ]
Next message: pix: "[Snort-sigs] hi"
Previous message: Moyer, Shawn: "RE: [Snort-sigs] Ultimate Rule List"
In reply to Robert Reid: "RE: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?"
Next in thread: Shane Williams: "RE: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?"
Reply: Shane Williams: "RE: [Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:29 EDT