Snort mailing list archives
Re: Black/Nyxem
From: Kevin Ponds <kponds () gmail com>
Date: Thu, 26 Jan 2006 12:47:23 -0600
It looks like you are just seeing someone surf http://www.snort.org/rules/advisories/vrt-rules-2006-01-25.html and click on the link to the counter... On 1/26/06, Ron Jenkins <rjenkins () dibr net> wrote:
On the below rule, does anyone show the payload as: GET /cgi-bin/Count.cgi?df=765247 HTTP/1.1..Accept: */*..Referer: http://www.snort.org/rules/advisories/vrt-rules-2006-01-25.html. alert tcp $HOME_NET any -> 207.172.16.155 80 (msg:"COMMUNITY VIRUS Possible BlackWorm or Nymex infected host"; uricontent:"/cgi-bin/Count.cgi?df=765247"; sid:100000226; rev:1;) Ron Jenkins (SnortCP, MCNE, CNE6, MCP, CCNA, CCEA) Senior Architect Data Integrity, LLC "We Integrate People with Solutions" 1724 Dallas Drive Suite 11 Baton Rouge, La 70806 Office. 225.927.8030 Fax. 225.927.8033 Cell225.931.1632 Email. rjenkins () dibr net Web. http://www.dibr.net (Aanval Reseller and Technology Partner) http://www.aanval.com/tour/dibr
Current thread:
- Black/Nyxem Ron Jenkins (Jan 26)
- Re: Black/Nyxem Kevin Ponds (Jan 26)
- WINSNORT.com - Announcing new WinIDS Guides for 2006 Michael Steele (Jan 26)
- Re: Black/Nyxem Frank Knobbe (Jan 26)
- Re: Black/Nyxem Matthew Watchinski (Jan 26)