Re: Allaplw Trojan Sig

ICMP protocol sigs are always fun, I need to run them through the rule 
profiler in Snort :-)


Shirkdog
' or 1=1--
http://www.shirkdog.us





> From: Frank Knobbe <frank-AcRFykbqG4P1P9xLtpHBDw@xxxxxxxxxxxxxxxx>
> Reply-To: Bleeding Sigs 
> <bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> To: Bleeding Sigs 
> <bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> Subject: Re: [Bleeding-sigs] Allaplw Trojan Sig
> Date: Mon, 15 Jan 2007 18:02:07 -0600
>
> On Mon, 2007-01-15 at 14:12 -0500, Matt Jonkman wrote:
> > I did something similar, and spread it out to 2 sigs to get in and out.
> >
> > 
> http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/VIRUS/WORM_Allaple?view=markup
> >
> > That what you had in mind?
>
> Good. I was about to say, you should optimize it so that the type and
> code checks are done before the content check. Remember, faster option
> checks first.
>
> Cheers,
> Frank
>
>
>
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.


> << signature.asc >>




> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

_________________________________________________________________
Fixing up the home? Live Search can help 
http://imagine-windowslive.com/search/kits/default.aspx?kit=improve&locale=en-US&source=hmemailtaglinenov06&FORM=WLMTAG