Re: local codered infection

[Phil Wood <cpw () lanl gov>]

On Wed, Feb 06, 2002 at 11:49:19AM -0700, Ryan Russell wrote:
> On Wed, 6 Feb 2002 bthaler () webstream net wrote:
>
> > Is anyone using a snort rule to detect *local* infections of codered, nimda,
> > etc?
> >
> > I tried:
> > alert tcp x.x.x.x any -> any 80 (msg:"***LOCAL CODERED INFECTION***";
> > content:"/cmd.exe"; nocase;)
>
> CodeRed.b is the only active one out there at the moment.  It doesn't
> contain the string "cmd.exe".  That was Codered II (CodeRed.c and
> CodeRed.d).

For what it's worth, I saw 113,281 WEB-IIS cmd.exe accesses yesterday.

> > but this doesn't seem to work.
> >
> > I tested it by trying to access www.yahoo.com/cmd.exe, which should throw a
> > false positive.
>
> > From that IP address, obviously, yes?
>
> > Is my testing flawed, or the rule, or both?
>
> Where did you put the rule, and did you restart Snort?
>
>                                       Ryan
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users