Snort mailing list archives
Re: DOS rules for Nimda
From: Chris Green <cmg () sourcefire com>
Date: Thu, 26 Sep 2002 10:05:06 -0400
"Richard Ellerbrock" <richarde () eskom co za> writes:
I am trying to help a very large site that is being killed by denial of service due to a large number of MS type workstations infected by Nimda. The standard snort rules are no good as no connection is actually made, just a HUGE SYN flood looking for open Web servers to infect. Traffic looks like this:
The easiest way to detect this is by saying alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg: "OUTGOING cmd.exe"; content: "cmd.exe"); because eventually one of these will do the probing. -- Chris Green <cmg () sourcefire com> Warning: time of day goes back, taking countermeasures. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOS rules for Nimda Richard Ellerbrock (Sep 26)
- Re: DOS rules for Nimda Chris Green (Sep 26)
- Re: DOS rules for Nimda Martin Roesch (Sep 26)
- <Possible follow-ups>
- RE: DOS rules for Nimda McCammon, Keith (Sep 26)
- RE: DOS rules for Nimda Tudor Panaitescu (Sep 26)
- RE: DOS rules for Nimda Richard Ellerbrock (Sep 26)
- Re: DOS rules for Nimda Richard Ellerbrock (Sep 26)
- RE: DOS rules for Nimda Madziarczyk, Jonathan (Sep 26)
- RE: DOS rules for Nimda Richard Ellerbrock (Sep 26)