Snort mailing list archives

Re: Black/Nyxem

From: Kevin Ponds <kponds () gmail com>
Date: Thu, 26 Jan 2006 12:47:23 -0600

It looks like you are just seeing someone surf
http://www.snort.org/rules/advisories/vrt-rules-2006-01-25.html and click on
the link to the counter...

On 1/26/06, Ron Jenkins <rjenkins () dibr net> wrote:


 On the below rule, does anyone show the payload as:



GET /cgi-bin/Count.cgi?df=765247 HTTP/1.1..Accept: */*..Referer:
http://www.snort.org/rules/advisories/vrt-rules-2006-01-25.html.











alert tcp $HOME_NET any -> 207.172.16.155 80 (msg:"COMMUNITY VIRUS
Possible BlackWorm or Nymex infected host";
uricontent:"/cgi-bin/Count.cgi?df=765247"; sid:100000226; rev:1;)









Ron Jenkins (SnortCP, MCNE, CNE6, MCP, CCNA, CCEA)
Senior Architect
Data Integrity, LLC
"We Integrate People with Solutions"
1724 Dallas Drive
Suite 11
Baton Rouge, La 70806
Office. 225.927.8030
Fax. 225.927.8033
Cell225.931.1632

Email. rjenkins () dibr net
Web. http://www.dibr.net

(Aanval Reseller and Technology Partner)

http://www.aanval.com/tour/dibr

Current thread:

Black/Nyxem Ron Jenkins (Jan 26)
- Re: Black/Nyxem Kevin Ponds (Jan 26)
- WINSNORT.com - Announcing new WinIDS Guides for 2006 Michael Steele (Jan 26)
- Re: Black/Nyxem Frank Knobbe (Jan 26)
  - Re: Black/Nyxem Matthew Watchinski (Jan 26)