Snort mailing list archives
Re: Nimda Rules
From: Phil Wood <cpw () lanl gov>
Date: Wed, 19 Sep 2001 19:57:32 -0600
On Wed, Sep 19, 2001 at 06:03:17PM -0600, Rich Adamson wrote:
I have used these two successfully. Note: I got these off another list, I can't remember who posted them, but they work. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT"; uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin; rev:1;) alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email Attachment"; content: "readme.exe"; nocase; flags:A+;)
^ You will find this alot in just plain email discussing this. In fact, your snort should trigger on this email %^)
This second rule seems to trip on every inbound email regardless of whether "readme.exe" exists or not. Any thoughts on what I might be doing wrong? Rich _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Nimda Rules Lists (Sep 19)
- Re: Nimda Rules Rich Adamson (Sep 19)
- Re: Nimda Rules Phil Wood (Sep 19)
- Nimda infections.. Franki (Sep 20)
- Re: Nimda Rules Phil Wood (Sep 19)
- <Possible follow-ups>
- Re: Nimda Rules Dr SuSE (Sep 19)
- Re: Nimda Rules Rich Adamson (Sep 19)