List Info

Thread: Another Storm Worm Sig
Another Storm Worm Sig
country flaguser name
United States		 2007-12-26 16:19:40 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg: "BLEEDING- 
EDGE WORM Merry Storm Worm Christmas Charlie Brown";  
flow:established,to_server;
uricontent:"uhavepostcard.com"; nocase;  
classtype:trojan-activity;
reference:url,isc.sans.org/diary.html? 
storyid=3784; sid:2007998; rev:1;)

Joshua Gimer
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
Re: Another Storm Worm Sig
user name
 2007-12-30 20:30:35 

  


  

    Josh,
Sorry to take so long to get back to you. Your email didn't make it around the filters since it contained known malicious domains.

I think people are better off blocking these at the firewall rather than creating sigs for them. 

See this US-CERT advisory that contains a full list of domains to block:
http://www.us-cert.gov/current/index.html#storm_worm_activity_increases_during


Blake Hartstein


On Dec 26, 2007 5:19 PM, Joshua Gimer < jgimergmail.com">jgimergmail.com> wrote:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-
EDGE WORM Merry Storm Worm Christmas Charlie Brown";;


-- 
Blake Hartstein



  

  
  
   
     
    






 [1-2]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )