Snort Sig for Novarg - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: Snort Sig for Novarg

  1. #11
    Junior Member
    Join Date
    Oct 2003
    Posts
    10
    Ask your email admin to turn off the auto responder for Norton. This virus spoofs the sender so the auto responder is not effective. You end up sending messages to people that are probably are not infected causing more confusion and more traffic.

  2. #12
    Senior Member
    Join Date
    Jun 2003
    Posts
    236

    Re: novarg

    Originally posted here by Tanker135
    To: S3cur|ty4ng31
    I've created a rules files with your posting and am taking hits from outside my firewall. It would appear that some novarg virus traffic is originating from our mail server, however my mail administrator claims it could not happen, as he's installed Norton's protection software. He does claim that Norton automatically responds to senders of novarg that the're infected. Could the automatic response be the cause of the hits I'm seeing coming from the inside of my network?

    Thanks!
    Yeah I am assuming your spoofed. One of the things the virus does is use the email addressed stored on the computer so it porbably just used your email address at another computer and sent an email back to you. And the snort rules are designed only to see incoming traffic on port 25 if you copied them directly so its not like your sending anything out.

    Oh I didnt get much feedback at all on my rules so I am just curious if anything got past them. I havent gotten much of the mutated versions but so far its detected every Novarg and every variation. I would like to no if any got by you and if they did could you possibly email me what did.
    That which does not kill me makes me stronger -- Friedrich Nietzche

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •