Snort mailing list archives
Concept/Nimda Snort 1.8.1 rules
From: "Paul Asadoorian" <paul.com () home com>
Date: Tue, 18 Sep 2001 18:11:26 -0400
All: I wrote two new rules in an attempt to log this activity at my site: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT"; uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin; rev:1;) This rule catches anything that the other rules may miss. Granted it needs work and integration into the other IIS rules, but has logged entries and helped me to idenifty hosts that are infected. alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email Attachment"; content: "readme.exe"; nocase; flags:A+;) The version of sendmail we are running does not allow us to filter by attachment :-( I wrote the above rule to log all the email activity, we are luck to have one mail aggregation point which makes this rule very effective for finding attachments. Hope this helps.... Paul Asadoorian, GCIA _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Concept/Nimda Snort 1.8.1 rules Paul Asadoorian (Sep 18)