Snort mailing list archives

Re: DOS rules for Nimda

From: Chris Green <cmg () sourcefire com>
Date: Thu, 26 Sep 2002 10:05:06 -0400

"Richard Ellerbrock" <richarde () eskom co za> writes:

I am trying to help a very large site that is being killed by denial of
service due to a large number of MS type workstations infected by Nimda.
The standard snort rules are no good as no connection is actually made,
just a HUGE SYN flood looking for open Web servers to infect. Traffic
looks like this:


The easiest way to detect this is by saying

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg: "OUTGOING cmd.exe";
content: "cmd.exe");

because eventually one of these will do the probing.
-- 
Chris Green <cmg () sourcefire com>
Warning: time of day goes back, taking countermeasures.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DOS rules for Nimda Richard Ellerbrock (Sep 26)
- Re: DOS rules for Nimda Chris Green (Sep 26)
- Re: DOS rules for Nimda Martin Roesch (Sep 26)
- <Possible follow-ups>
- RE: DOS rules for Nimda McCammon, Keith (Sep 26)
- RE: DOS rules for Nimda Tudor Panaitescu (Sep 26)
- RE: DOS rules for Nimda Richard Ellerbrock (Sep 26)
- Re: DOS rules for Nimda Richard Ellerbrock (Sep 26)
- RE: DOS rules for Nimda Madziarczyk, Jonathan (Sep 26)
- RE: DOS rules for Nimda Richard Ellerbrock (Sep 26)