Snort mailing list archives
Re: local codered infection
From: <bthaler () webstream net>
Date: Wed, 6 Feb 2002 13:58:34 -0500
The rule is in local.rules along with my other codered rules. I just realized that it is *below* the other codered rules, which is probably the problem. Yes, I did restart snort. Sincerely, Brad T. Technical Support WebStream Internet Solutions brad () webstream net http://www.webstream.net (888) 932-2333 Toll-Free (954) 730-7127 Local (954) 733-7067 Fax (954) 730-7405 Help Desk *******************Internet Email Confidentiality Footer******************* This communication contains proprietary business information and may contain confidential information. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately destroy, discard, or erase this communication. ----- Original Message ----- From: "Ryan Russell" <ryan () securityfocus com> To: <bthaler () webstream net> Cc: <snort-users () lists sourceforge net> Sent: Wednesday, February 06, 2002 1:49 PM Subject: Re: [Snort-users] local codered infection
On Wed, 6 Feb 2002 bthaler () webstream net wrote:Is anyone using a snort rule to detect *local* infections of codered,
nimda,
etc? I tried: alert tcp x.x.x.x any -> any 80 (msg:"***LOCAL CODERED INFECTION***"; content:"/cmd.exe"; nocase;)CodeRed.b is the only active one out there at the moment. It doesn't contain the string "cmd.exe". That was Codered II (CodeRed.c and CodeRed.d).but this doesn't seem to work. I tested it by trying to access www.yahoo.com/cmd.exe, which should
throw a
false positive.From that IP address, obviously, yes?Is my testing flawed, or the rule, or both?Where did you put the rule, and did you restart Snort? Ryan
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- local codered infection bthaler (Feb 06)
- Re: local codered infection Ryan Russell (Feb 06)
- Re: local codered infection bthaler (Feb 06)
- Re: local codered infection Phil Wood (Feb 06)
- Re: local codered infection Ryan Russell (Feb 06)
- Re: local codered infection bthaler (Feb 06)
- Re: local codered infection Ryan Russell (Feb 06)
- <Possible follow-ups>
- RE: local codered infection Chip Kelly (Feb 06)