Snort mailing list archives
Nimda rules that may help
From: Dr SuSE <drsuse () drsuse org>
Date: Tue, 18 Sep 2001 19:20:39 GMT
So far this morning we have seen almost 100,000 attempted cmd.exe exploits. What we have done was comment out the cmd.exe exploit rule and rewrite it so that it looks for infected hosts on our internal network attempting to exploit external hosts. Here is the rule: alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 80 (msg:"WEB-IIS cmd.exe Out"; flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;sid :1002; rev:1;) Also, Chris Mayor wrote a simple rule to detect an incoming Nimda virus. alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"w32.Nimda worm incoming"; flags: A+; content:"|6D 65 3D 22 72 65 61 64 6D 65 2E 65 78 65 22|";) --------------------------------------------- Microsoft ist nicht installiert. http://www.drsuse.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nimda rules that may help Dr SuSE (Sep 18)