[Snort-sigs] Concept/Nimda sig

Joao Gouveia jgouveia at ...111...
Tue Sep 18 13:02:03 EDT 2001


Hi all,

Base on a superficial analysis of this new worm, here is a simple sig that
will detect the HTTP attempt.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Concept-Nimda"; flags:
A+; content:"|48 6F 73 74 3A 20 77 77 77 0D 0A|"; )

Reagards,

Joao Gouveia





More information about the Snort-sigs mailing list