[Dshield] Sobig watch

Johannes B. Ullrich jullrich at sans.org
Sat Aug 23 16:25:09 GMT 2003

> It's not always necessary to wait for an "official" rule of some sort;
> in fact, in some cases you just have to write your own to perform a
> specific task...

Very true. The rule you posted will work (actually: I think the ':' was
right :-/ ).

The nice thing about snort is that you are able to write your own rules
and do not have to agree with a vendors idea of good/bad traffic. 

One note for the 'Sobig Watch': Try to turn on logging in unified or
tcpdump format, so you capture full packets. The short "alerts" format
will not do much good.

SANS - Internet Storm Center
PGP Key: http://isc.sans.org/jullrich.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20030823/e6cfbf8d/attachment.bin

More information about the list mailing list