[Dshield] Snort-Ruleset for Sobig

Porter, Richard USA rwporter at nps.navy.mil
Sat Aug 23 21:20:03 GMT 2003


There was an error in my ruleset that I am posting for continuity.
 
alert tcp $EXTERNAL_NET 8998 -> any any (msg:"Possible Sobig Probe from Outside HomeNet";)

Should read

alert udp $EXTERNAL_NET 8998 -> any 135 (msg:"Possible Sobig Probe from Outside HomeNet";)

Sorry about that

Rich

 

	-----Original Message----- 
	From: John D. [mailto:lists at webcrunchers.com] 
	Sent: Fri 8/22/2003 9:17 PM 
	To: General DShield Discussion List 
	Cc: 
	Subject: Re: [Dshield] Snort-Ruleset for Sobig
	
	

	>All,
	>
	>This is a rule-set I whipped up to monitor internal traffic. It is by
	>known sobig ports and the decrypted list of IPs posted on
	
	>http://www.sophos.com/virusinfo/articles/sobigiplist.html
	
	Where is this ruleset?    I looked for it in the enclosed URL,  but just
	saw the original article.
	
	John
	
	
	_______________________________________________
	list mailing list
	list at dshield.org
	To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
	



More information about the list mailing list