Snort mailing list archives
Re: Nimda Rules
From: Rich Adamson <radamson () routers com>
Date: Wed, 19 Sep 2001 18:03:17 -0600
I have used these two successfully. Note: I got these off another list, I can't remember who posted them, but they work. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT"; uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin; rev:1;) alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email Attachment"; content: "readme.exe"; nocase; flags:A+;)
This second rule seems to trip on every inbound email regardless of whether "readme.exe" exists or not. Any thoughts on what I might be doing wrong? Rich _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nimda Rules Lists (Sep 19)
- Re: Nimda Rules Rich Adamson (Sep 19)
- Re: Nimda Rules Phil Wood (Sep 19)
- Nimda infections.. Franki (Sep 20)
- Re: Nimda Rules Phil Wood (Sep 19)
- <Possible follow-ups>
- Re: Nimda Rules Dr SuSE (Sep 19)
- Re: Nimda Rules Rich Adamson (Sep 19)