Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort doesn't detect W32/Opaserv.worm attack

From: Scott Nursten <scottn () s2s ltd uk>
Date: Tue, 26 Nov 2002 12:05:24 +0000
This should really go on snort-sigs....! I have sent this reply to that
list, so you should hopefully see a response soon (if you subscribe).

Snort 1.8.4 is no longer current/stable so I'm not sure if there is anyone
updating rules for this version.

Regards,

Scott Nursten 


On 11/26/02 8:31 AM, "jo cam" <jo.cam () caramail com> wrote:


Hi,

A variant of this worm (INSTIT.BAT) was discovered
recently. On NAI AVERT web page, they give infection mode.
The worm use NetBIOS for NT traffic (UDP port 137).

The default netbios.rules check NetBIOS traffic (TCP
port 139). Could anyone have rules to detect the activity
of this worm ?

I use MDK 8.2 (kernel 2.4.18) and snort 1.8.4.

Regards,

JO

_________________________________________________________
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35€ Hors coût du SMS)




-- 




-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: