[Snort-sigs] Nimda virus - urgent

Coochey, Giles g.coochey at ...138...
Thu Feb 7 00:34:03 EST 2002


We use McAfee Netshield, and it generates this event when users update their
virus signatures.

If you have Nimda then you're likely to see lots of NETBIOS nimda.eml,
NETBIOS nimda.nws, WEB IIS cme.exe + directory traversal + Code Red v2
root.exe alerts.

If you're not seeing any of those other mentioned then it's unlikely that
you have a Nimda Outbreak in your network.

Thanks

Giles
  -----Original Message-----
  From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of koyo wong
  Sent: 07 February 2002 02:06
  To: Snort-sigs at lists.sourceforge.net
  Subject: [Snort-sigs] Nimda virus - urgent
  Importance: High


  Dear all,

  Recently my network has been continously emergin alerts for this rule:

  alert tcp any any -> any 139 (msg:"NETBIOS nimda RICHED20.DLL";
content:"R/00/I/00/C/00/H/00/E/00/D/00/2/00/0"; flags:A+;
classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1295; rev:2;)

  Would anyone know if this really implies the Nimda virus traffic, thx.

  Koyo

  --
_______________________________________________
Sign-up for your own FREE Personalized E-mail at  Mail.com
Win a ski trip!


  _______________________________________________ Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020207/ec60f812/attachment.html>


More information about the Snort-sigs mailing list