Snort mailing list archives

Re: local codered infection

From: Ryan Russell <ryan () securityfocus com>
Date: Wed, 6 Feb 2002 11:49:19 -0700 (MST)

On Wed, 6 Feb 2002 bthaler () webstream net wrote:

Is anyone using a snort rule to detect *local* infections of codered, nimda,
etc?

I tried:
alert tcp x.x.x.x any -> any 80 (msg:"***LOCAL CODERED INFECTION***";
content:"/cmd.exe"; nocase;)


CodeRed.b is the only active one out there at the moment.  It doesn't
contain the string "cmd.exe".  That was Codered II (CodeRed.c and
CodeRed.d).


but this doesn't seem to work.

I tested it by trying to access www.yahoo.com/cmd.exe, which should throw a
false positive.

From that IP address, obviously, yes?


Is my testing flawed, or the rule, or both?


Where did you put the rule, and did you restart Snort?

                                        Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

local codered infection bthaler (Feb 06)
- Re: local codered infection Ryan Russell (Feb 06)
  - Re: local codered infection bthaler (Feb 06)
  - Re: local codered infection Phil Wood (Feb 06)
    - Re: local codered infection Ryan Russell (Feb 06)
    - Re: local codered infection bthaler (Feb 06)
- <Possible follow-ups>
- RE: local codered infection Chip Kelly (Feb 06)