Concept/Nimda Snort 1.8.1 rules

["Paul Asadoorian" <paul.com () home com>]

All:

I wrote two new rules in an attempt to log this activity at my site:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT";
uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin;  rev:1;)

This rule catches anything that the other rules may miss.  Granted it needs
work and integration into the other IIS rules, but has logged entries and
helped me to idenifty hosts that are infected.

alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email
Attachment"; content: "readme.exe"; nocase; flags:A+;)

The version of sendmail we are running does not allow us to filter by
attachment :-(  I wrote the above rule to log all the email activity, we are
luck to have one mail aggregation point which makes this rule very effective
for finding attachments.

Hope this helps....

Paul Asadoorian, GCIA


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users