[Snort-sigs] Updated BLASTER TFTP rules
bmc at ...95...
Wed Aug 20 01:14:07 EDT 2003
On Wed, Aug 20, 2003 at 11:52:27AM +1200, Jason Haar wrote:
> The existing TFTP rules I've seen around for BLASTER don't appear to be
> correct, and don't account for the newer varients that use different filenames.
Duh. Don't use the specific to this worm rules. Why must you know
which variant that caused you to get owned? You have to reinstall the
There is a generic TFTP GET rule, you should use that rule and filer out
the tftp traffic that IS allowed on your network and alert on anything
Just because you don't see "DCOM OWNED YOUR ASS!%)*@%" in a rule message
doesn't mean the rule isn't there. CVE is a good thing. Use it.
More information about the Snort-sigs