Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: All snort users -- Rules?

From: Phil Wood <cpw () lanl gov>
Date: Sat, 22 Sep 2001 18:20:17 -0600
This NIMDA thing is multifaceted, you will need possibly more than one rule
to sense what's happening.  Unfortunately, it's really too late. All those
who use IE 5.[01], that cruse the web are in deep do-do.  As you all know
you can get it in email, and as you browse the web (automatic, no need to
click on the "attachement").  After you hit one of those sites, your system
will be infected, and  you will join the legions attacking the Internet.

Basically, you and everyone else, needs to get the vulnerable Microsoft
systems upgraded to the absolutely newest OS version, and then patched.
Prior to that you need to unhook all vulnerable Microsoft systems from the net.
Or, they will soon be participating in this bruhaha.  If this is just too 
hard to do.  Then, I guess the best thing would be to disconnect your
network from the Internet.

However, if you want to watch it happening, and build special rules to
catch the various facits of this "virus", I've included the virus as sent
over the web (same as one sent in email) which you can investigate and
construct rules to detect.  

Bon Chance,

On Sat, Sep 22, 2001 at 03:21:20PM -0400, Tim wrote:

To all snort users:


Iam still learning and would like to learn more. Time is not on my side in reference to the Nimda attacks. Even 
though I have locked down our servers down with the necessary patches and removal of unnecessary services, I believe 
that our network is stil vurnerable.

I have started to learn snort....but not soon enough....if you would all provide me with or point me in the direction 
where I can find a rule set for the nimda virus and its detection/repair/deletion, I would be so ever gratefull.

---
Tim -- Mia/Fla.
--

          -------------
       I prefer to be a dreamer 
         among the humblest,
     with visions to be realized, 
   than a lord among those without
        dreams and desires.
           ------------


-- 
Phil Wood, cpw () lanl gov

Attachment: admin.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: