Snort mailing list archives

Nimda rules that may help

From: Dr SuSE <drsuse () drsuse org>
Date: Tue, 18 Sep 2001 19:20:39 GMT

So far this morning we have seen almost 100,000 attempted cmd.exe exploits.
What we have done was comment out the cmd.exe exploit rule and rewrite it so 
that it looks for infected hosts on our internal network attempting to exploit 
external hosts.   Here is the rule:

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 80 (msg:"WEB-IIS cmd.exe Out"; 
flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;sid
:1002; rev:1;)

Also, Chris Mayor wrote a simple rule to detect an incoming Nimda virus.

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"w32.Nimda worm incoming"; 
flags: A+; content:"|6D 65 3D 22 72 65 61 64 6D 65 2E 65 78 65 22|";)





---------------------------------------------
Microsoft ist nicht installiert.
http://www.drsuse.org/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Nimda rules that may help Dr SuSE (Sep 18)