Re: Please post a good Nachi.B Signature

[SN ORT <snort_on_acid () yahoo com>]

Yeah real simple. Make your own rules. Have them spot
out anyone scanning on ports 135 and 445 outside your
network. Obviously no one should be scanning outside
your network on these ports. And since the IPs scanned
are random IPs, they will be hitting your default
route. This is the only propogation method, seeking to
exploit the wkssrv.
 

Cheese!

Marc 

> Message: 3
> Date: Sat, 21 Feb 2004 16:08:25 -0800 (PST)
> From: Dan <sophie_bo () earthlink net>
> Reply-To: Dan <sophie_bo () earthlink net>
> To: Erek Adams <erek () snort org>, Dan
<sophie_bo () earthlink net>
> Subject: Re: [Snort-users] Please post a good Nachi.B
> Signature
> Cc: snort-users () lists sourceforge net

> * I had already checked the snort sigs mailing list
> archives to no avail.

> * I help secure a 100,000 + node network. The sig for
> the original Nachi virus worked great.

> Now, can anyone provide some real help and post a
> working sig for Nachi.B?

> Thanks,

> Dan


__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users