[Snort-sigs] Nimda

Matt Kettler mkettler at ...189...
Tue May 27 15:01:05 EDT 2003

Snort should catch the directory traversal attempts from Nimda with the 
default ruleset.

Some things to check:

1) what is HTTP_PORTS defined as in snort.conf.. if you have a comma in 
there, look no further.. comma separated lists are NOT supported here, just 
single ports or : separated ranges.

2) what are HTTP_SERVERS,  and EXTERNAL_NET defined as in snort.conf? How 
do the destination and source addresses of the attacks relate to these 
ranges? (ie: is the source included in EXTERNAL_NET and the targeted server 

3) are you using stream4?

4) what kind of dropped-packet rate are you getting?

At 04:42 PM 5/27/2003 -0400, Joe Kinsella wrote:
>I'm new to snort so please forgive me if I am re-treading old ground.  I've
>installed Snort 2.0 on my IIS web server.  My web server is also running
>URLScan to reject specific attacks.  One of the attacks I see frequently
>rejected is Nimda (http://www.cert.org/advisories/CA-2001-26.html).  Snort
>did not flag these HTTP requests as attacks - and I scanned the rule files
>for a rule that looks like it would have caught Nimda.  Since this worm has
>been around so long, I am assuming a rule MUST be available for this.
>Advice is appreciated.
>This SF.net email is sponsored by: ObjectStore.
>If flattening out C++ or Java code to make your application fit in a
>relational database is painful, don't do it! Check out ObjectStore.
>Now part of Progress Software. http://www.objectstore.net/sourceforge
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list