[Dshield] Sobig watch
Johannes B. Ullrich
jullrich at sans.org
Sat Aug 23 16:25:09 GMT 2003
> It's not always necessary to wait for an "official" rule of some sort;
> in fact, in some cases you just have to write your own to perform a
> specific task...
Very true. The rule you posted will work (actually: I think the ':' was
right :-/ ).
The nice thing about snort is that you are able to write your own rules
and do not have to agree with a vendors idea of good/bad traffic.
One note for the 'Sobig Watch': Try to turn on logging in unified or
tcpdump format, so you capture full packets. The short "alerts" format
will not do much good.
SANS - Internet Storm Center
PGP Key: http://isc.sans.org/jullrich.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20030823/e6cfbf8d/attachment.bin
More information about the list