W32/Gokar
From: Giles Coochey (g.coochey@btinternet.com)Date: 12/14/01
- Previous message: PT-Sheik Abdulla: "Re: IDS VS tunnel?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 14 Dec 2001 13:51:52 -0000 From: Giles Coochey <g.coochey@btinternet.com> To: focus-ids@securityfocus.com('binary' encoding is not supported, stored as-is)
Does anyone have an IDS rule for snort to detect the
Gokar virus when encountered by IRC?
I currently have:
alert tcp $HOME_NET any -> $EXTERNAL_NET
6666:7000 (msg:"VIRUS W32/Gokar via IRC"; flags:
A+; content: "karen.exe";classtype:misc-activity;
rev:1;)
But as I have not yet encountered the virus on IRC I
can't be sure that the content will be there.
- Previous message: PT-Sheik Abdulla: "Re: IDS VS tunnel?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
