Snort mailing list archives

Re: nimda

From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 12 Jul 2002 14:39:07 -0600 (MDT)

On Fri, 12 Jul 2002, J. Craig Woods wrote:

Maybe I am missing something here, and it would not be the first nor the
last time that I missed something but wouldn't your mail scanner be
picking traffic up on port 25? Nimda attacks would be on port 80.
Furthermore, are you saying that the nimda is part of the email traffic?
Not sure what you are saying here. Maybe you could elucidate for us...


Sure, Nimda mails itself around.  If you're just watching any port for
some string that appears in the Nimda binary, you may see it on ports 80,
25, 110, 143, 139, 445, 69, and probably others I hadn't thought of.

                                                Ryan



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

nimda Hugo Ferr (Jul 12)
- Re: nimda J. Craig Woods (Jul 12)
  - Re: nimda Ryan Russell (Jul 12)
- <Possible follow-ups>
- RE: nimda Hicks, John (Jul 12)
  - RE: nimda Rodney Wise (Jul 14)