Snort mailing list archives
Re: Nimda Rules
From: Dr SuSE <drsuse () drsuse org>
Date: Thu, 20 Sep 2001 00:12:12 GMT
The email rule was written based on early reports that the attached infected file was called readme.exe. I have since learned that the names vary so this rule should no longer be considered effective.
I have used these two successfully. Note: I got these off another list, I can't remember who posted them, but they work. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT"; uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin; rev:1;) alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email Attachment"; content: "readme.exe"; nocase; flags:A+;)This second rule seems to trip on every inbound email regardless of whether "readme.exe" exists or not. Any thoughts on what I might be doing wrong? Rich _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
"Flush twice....it's a long way to afghanistan" --------------------------------------------- Microsoft ist nicht installiert. http://www.drsuse.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nimda Rules Lists (Sep 19)
- Re: Nimda Rules Rich Adamson (Sep 19)
- Re: Nimda Rules Phil Wood (Sep 19)
- Nimda infections.. Franki (Sep 20)
- Re: Nimda Rules Phil Wood (Sep 19)
- <Possible follow-ups>
- Re: Nimda Rules Dr SuSE (Sep 19)
- Re: Nimda Rules Rich Adamson (Sep 19)