[Snort-sigs] Nimda virus - urgent
stephane.nasdrovisky at ...345...
Thu Feb 7 00:20:08 EST 2002
koyo wong wrote:
> Dear all,
> Recently my network has been continously emergin alerts for this rule:
> alert tcp any any -> any 139 (msg:"NETBIOS nimda RICHED20.DLL";
> content:"R/00/I/00/C/00/H/00/E/00/D/00/2/00/0"; flags:A+;
> reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1295;
> Would anyone know if this really implies the Nimda virus traffic, thx.
Certainly not, an alert, or thousands of these do not mean it is a true
positive. A good idea would be to check wether these are false or true
I guess you checked your worksations and servers against nimda and/or
this richedXX.dll file, you sniffed your netbios traffic to know exactly
what happens ?
If you did all this, you already have the answer.
More information about the Snort-sigs