[Snort-sigs] Nimda virus - urgent

Stephane Nasdrovisky stephane.nasdrovisky at ...345...
Thu Feb 7 00:20:08 EST 2002



koyo wong wrote:

> Dear all,
>
> Recently my network has been continously emergin alerts for this rule:
>
> alert tcp any any -> any 139 (msg:"NETBIOS nimda RICHED20.DLL";
> content:"R/00/I/00/C/00/H/00/E/00/D/00/2/00/0"; flags:A+;
> classtype:bad-unknown;
> reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1295;
> rev:2;)
>
> Would anyone know if this really implies the Nimda virus traffic, thx.

Certainly not, an alert, or thousands of these do not mean it is a true
positive. A good idea would be to check wether these are false or true
positives.
I guess you checked your worksations and servers against nimda and/or
this richedXX.dll file, you sniffed your netbios traffic to know exactly
what happens ?
If you did all this, you already have the answer.





More information about the Snort-sigs mailing list