Snort mailing list archives

Previous By Date Next
Previous By Thread Next

local codered infection

From: <bthaler () webstream net>
Date: Wed, 6 Feb 2002 13:27:35 -0500
Is anyone using a snort rule to detect *local* infections of codered, nimda,
etc?

I tried:
alert tcp x.x.x.x any -> any 80 (msg:"***LOCAL CODERED INFECTION***";
content:"/cmd.exe"; nocase;)

but this doesn't seem to work.

I tested it by trying to access www.yahoo.com/cmd.exe, which should throw a
false positive.

Is my testing flawed, or the rule, or both?





Sincerely,

Brad T.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: