Snort mailing list archives
NETBIOS nimda.eml
From: "Paul Lane" <paul_lane () supplyworks com>
Date: Wed, 22 Oct 2003 13:00:32 -0400
This rule is generating lots of alerts on my network; "alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|.|00|E|00|M|00|L"; flow:to_server,established; classtype:bad-unknown; reference:url,www.f-secure.com/v-descs/nimda.shtml; sid:1293; rev:8;); The source IP is an Exchange 2000 server and the destination IP is a file server. I've made sure that these boxes are patched and the virus dat file are current. Can I modify this rule and cut down on the alerts its generating? Thanks, Paul Lane
Current thread:
- NETBIOS nimda.eml Paul Lane (Oct 22)
- Re: NETBIOS nimda.eml Erek Adams (Oct 22)
- Re: NETBIOS nimda.eml Jason Haar (Oct 22)