[Snort-sigs] nimda.nws

HenkP at ...747... HenkP at ...747...
Tue Aug 13 06:15:02 EDT 2002

Hi all,
snort is picking up nimda signatures all over our network.
These sigantures are from many different machines, all these machines have
been cleaned by NAV corporate ed. from NIMDA (and also have the latest
definitions on them) and the virus cannot be found on any machine anywhere
in the network.

Snort is reporting all of the following signature descriptions.
web-cgi scripalias access
web iis isapi .ida access
web iis access
web misc icq webfront HTTP dos attack
web iis .cnf access
web traversal
web misc ?open access
netbios nimda.nws
web misc domino names access

to name a few

I dont think that this can be false positives since these signatures are
triggered CONSTANTLY and from various systems on the network, indicating
that it is not one machine causing a false positive...
Could it be a new version of nimda that norton does not pick up on ?

Please assist with advice.


Henk Pretorius

More information about the Snort-sigs mailing list