Snort mailing list archives
RE: local codered infection
From: Chip Kelly <Chip.Kelly () sas com>
Date: Wed, 6 Feb 2002 13:45:09 -0500
alert tcp $INTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Local rule: CodeRed v2 root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype:web-application-attack; sid: 1000000; rev:1;) The only difference between your rule and the one for CodeRed V2 located in WEB-IIS.rules appears to be "content:" versus "uricontent:" -chip -----Original Message----- From: bthaler () webstream net [mailto:bthaler () webstream net] Sent: Wednesday, February 06, 2002 1:28 PM To: snort-users () lists sourceforge net Subject: [Snort-users] local codered infection Is anyone using a snort rule to detect *local* infections of codered, nimda, etc? I tried: alert tcp x.x.x.x any -> any 80 (msg:"***LOCAL CODERED INFECTION***"; content:"/cmd.exe"; nocase;) but this doesn't seem to work. I tested it by trying to access www.yahoo.com/cmd.exe, which should throw a false positive. Is my testing flawed, or the rule, or both? Sincerely, Brad T. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- local codered infection bthaler (Feb 06)
- Re: local codered infection Ryan Russell (Feb 06)
- Re: local codered infection bthaler (Feb 06)
- Re: local codered infection Phil Wood (Feb 06)
- Re: local codered infection Ryan Russell (Feb 06)
- Re: local codered infection bthaler (Feb 06)
- Re: local codered infection Ryan Russell (Feb 06)
- <Possible follow-ups>
- RE: local codered infection Chip Kelly (Feb 06)