Hosting Provided By

RE: [Snort-sigs] Netsky.P Signature

From: Adrian Marsden <amarsden(at)jvsdet.org>
Date: Wed Mar 24 2004 - 08:12:42 EST

Actually, from a forensics pov this rule is useful if the direction is reversed, (Ext -> Home), when placed inside the firewall and other filters you can determine what potentially harmful files actually entered the system during a given period. With checking of the mail logs you can then determine who received what files, which may be useful.

I would leave it as suspicious filename, not as a policy violation if you reverse the direction.

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar@trimble.co.nz] Sent: Tuesday, March 23, 2004 8:31 PM
To: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] Netsky.P Signature

On Tue, Mar 23, 2004 at 08:03:26AM -0600, Mark.Schutzmann@Omron.com wrote:
>
> I can't wait for all of the FP's on this one... but at least it will
be
> fast ;-)

I wouldn't say FPs - but the msg should be something more like

msg:"Email OUTBOUND bad file attachment";

as this rule merely notices e-mails with attachments typically assosiated
with viruses - not viruses themselves. You could say it was more of a "policy-violation" rule perhaps...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.
http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.
http://ads.osdn.com/?ad_id70&alloc_id638&opick
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Received on Wed Mar 24 10:07:23 2004

This message: [ Message body ]
Next message: Hugo van der Kooij: "[Snort-sigs] Duplicate 732"
Previous message: Jason Haar: "Re: [Snort-sigs] Netsky.P Signature"
Maybe in reply to: Cam Beasley, ISO: "[Snort-sigs] Netsky.P Signature"
In reply to Mark.Schutzmann(at)Omron.com: "Re: [Snort-sigs] Netsky.P Signature"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:39 EDT

Do you need help?