[Dshield] Snort-Ruleset for Sobig

Porter, Richard USA rwporter at nps.navy.mil
Sat Aug 23 21:20:03 GMT 2003

There was an error in my ruleset that I am posting for continuity.
alert tcp $EXTERNAL_NET 8998 -> any any (msg:"Possible Sobig Probe from Outside HomeNet";)

Should read

alert udp $EXTERNAL_NET 8998 -> any 135 (msg:"Possible Sobig Probe from Outside HomeNet";)

Sorry about that



	-----Original Message----- 
	From: John D. [mailto:lists at webcrunchers.com] 
	Sent: Fri 8/22/2003 9:17 PM 
	To: General DShield Discussion List 
	Subject: Re: [Dshield] Snort-Ruleset for Sobig

	>This is a rule-set I whipped up to monitor internal traffic. It is by
	>known sobig ports and the decrypted list of IPs posted on
	Where is this ruleset?    I looked for it in the enclosed URL,  but just
	saw the original article.
	list mailing list
	list at dshield.org
	To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list