Snort mailing list archives
Re: All snort users -- Rules?
From: Phil Wood <cpw () lanl gov>
Date: Sat, 22 Sep 2001 18:20:17 -0600
This NIMDA thing is multifaceted, you will need possibly more than one rule to sense what's happening. Unfortunately, it's really too late. All those who use IE 5.[01], that cruse the web are in deep do-do. As you all know you can get it in email, and as you browse the web (automatic, no need to click on the "attachement"). After you hit one of those sites, your system will be infected, and you will join the legions attacking the Internet. Basically, you and everyone else, needs to get the vulnerable Microsoft systems upgraded to the absolutely newest OS version, and then patched. Prior to that you need to unhook all vulnerable Microsoft systems from the net. Or, they will soon be participating in this bruhaha. If this is just too hard to do. Then, I guess the best thing would be to disconnect your network from the Internet. However, if you want to watch it happening, and build special rules to catch the various facits of this "virus", I've included the virus as sent over the web (same as one sent in email) which you can investigate and construct rules to detect. Bon Chance, On Sat, Sep 22, 2001 at 03:21:20PM -0400, Tim wrote:
To all snort users: Iam still learning and would like to learn more. Time is not on my side in reference to the Nimda attacks. Even though I have locked down our servers down with the necessary patches and removal of unnecessary services, I believe that our network is stil vurnerable. I have started to learn snort....but not soon enough....if you would all provide me with or point me in the direction where I can find a rule set for the nimda virus and its detection/repair/deletion, I would be so ever gratefull. --- Tim -- Mia/Fla. -- ------------- I prefer to be a dreamer among the humblest, with visions to be realized, than a lord among those without dreams and desires. ------------
-- Phil Wood, cpw () lanl gov
Attachment:
admin.asc
Description:
Current thread:
- Re: All snort users -- Rules? Phil Wood (Sep 22)