Security Incidents mailing list archives
RE: Nimda Worm Mitigation: Snort
From: Kain X <kain () kain org>
Date: 19 Sep 2001 00:26:11 -0600
On Tue, 2001-09-18 at 20:52, Jason Lewis wrote:
Anyone doing anything different? How about something that tails an apache log file and adds ipchains rules to kill infected IP's? Anyone want to write it?
Here are some snort rules you can trigger on. I didn't write them; I haven't tested them. These may not even be complete. I found them on http://www.sli.mine.ru/ . Have fun. -- All programmers are playwrights and all computers are lousy actors. ** Penguin Farmer Bryon Roche, Kain <kain () imperativesoultions com> <kain () kain org>
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Nimda worm attempt"; uricontent:"readme.eml"; flags:A+;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"Nimda worm attempt"; content:"|2e6f70656e2822726561646d652e652e656d6c|"; flags:A+;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Nimda worm attempt"; content:"|6e616d653d22726561646d652e65786522|"; flags:A+;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Nimda worm attempt"; content:"|6e616d653d22726561646d652e65786522|"; flags:A+;)
Attachment:
_bin
Description:
Current thread:
- Nimda Worm Mitigation John Davidson (Sep 18)
- RE: Nimda Worm Mitigation Jason Lewis (Sep 18)
- RE: Nimda Worm Mitigation: Snort Kain X (Sep 19)
- <Possible follow-ups>
- FW: Nimda Worm Mitigation Jason Lewis (Sep 19)
- Apache rewrite rules and error msgs & Nimda Chris Stephens (Sep 19)
- RE: Nimda Worm Mitigation Jason Lewis (Sep 18)