-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sourcefire VRT Certified Rules Update
Synopsis:
The Sourcefire Vulnerability Research Team (VRT) has improved detection
for the new Sober worm variant.
Details:
The Sober worm is a mass mailer normally spread via email. A variant of
this worm displays more infection indicators that can be detected
easily using rules.
Rules to detect machines infected with this variant of the sober worm
are included in this update and are identified as sids 5320 and 5324.
Updated rules:
5321 - VIRUS Possible Sober virus set one NTP time check attempt
(virus.rules)
5322 - VIRUS Possible Sober virus set two NTP time check attempt
(virus.rules)
5323 - VIRUS Possible Sober virus set three NTP time check attempt
(virus.rules)
New rules:
2519 - DELETED SMTP Client_Hello overflow attempt (deleted.rules)
2538 - DELETED SMTP SSLv3 Client_Hello request (deleted.rules)
2539 - DELETED SMTP SSLv3 Server_Hello request (deleted.rules)
2540 - DELETED SMTP SSLv3 invalid Client_Hello attempt (deleted.rules)
3060 - DELETED WEB-MISC TLS1 Client_Hello with pad via SSLv2 handshake
request (deleted.rules)
5320 - VIRUS Possible Sober virus set one call home attempt
(virus.rules)
5324 - VIRUS Possible Sober virus set two call home attempt
(virus.rules)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDvaSXMpm0ve0NhMcRAokDAKCT9P4hT0ZlcTrP+0OKLvEn73SyMQCfTjNi
g9cl0l0UGKBvgaWAVF7LDkU=
=U0NV
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
