Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nimda Rules

From: Phil Wood <cpw () lanl gov>
Date: Wed, 19 Sep 2001 19:57:32 -0600
On Wed, Sep 19, 2001 at 06:03:17PM -0600, Rich Adamson wrote:

I have used these two successfully.  

Note: I got these off another list, I can't remember who posted them,
but they work.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT";
uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin;
rev:1;)

alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email
Attachment"; content: "readme.exe"; nocase; flags:A+;)

                              ^
You will find this alot in just plain email discussing this.  In fact,
your snort should trigger on this email %^)



This second rule seems to trip on every inbound email regardless of
whether "readme.exe" exists or not. Any thoughts on what I might be
doing wrong?

Rich


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: