[Snort-sigs] Nimda virus - urgent

Chris Green cmg at ...26...
Thu Feb 7 06:37:07 EST 2002


"Coochey, Giles" <g.coochey at ...138...> writes:
> If you have Nimda then you're likely to see lots of NETBIOS nimda.eml,
> NETBIOS nimda.nws, WEB IIS cme.exe + directory traversal + Code Red v2
> root.exe alerts.
>  
> If you're not seeing any of those other mentioned then it's unlikely
> that you have a Nimda Outbreak in your network.
>

When deducing false positives and events, its very important to look
at the actual packets themselves and understand their context in
relation to the other packets.

I use ethereal or snort -dev -r logs.cap on the tcpdump binary logs
in addition to seeing the alert info.  This isn't perfect but alerts
are done so they analyst has something to analyze.  You can go for
general alert based heuristics ( I saw x,y,z => DANGER DANGER ) or
more packet / stream specific determinism ( I saw X, it was a
request for ..%255c../cmd.exe )

The goal in writing great signatures to me is making the heuristics
much more reliable although everytime I think I've got a very reliable
set of heuristics for a specific event, something happens that makes
me reconsider.
--
Chris Green <cmg at ...26...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-sigs mailing list