[Snort-sigs] Nimda

Joe Kinsella jkinsella at ...1541...
Wed May 28 05:59:06 EDT 2003


What I see in my logs on a Nimda attack looks like this:

~/scripts/root.exe
~/MSADC/root.exe
~/c/winnt/system32/cmd.exe
~/d/winnt/system32/cmd.exe
~/scripts/..%255c../winnt/system32/cmd.exe
~/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
~/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
ystem32/cmd.exe
~/scripts/..%c1%1c../winnt/system32/cmd.exe
~/scripts/..%c0%2f../winnt/system32/cmd.exe
~/scripts/..%c0%af../winnt/system32/cmd.exe
~/scripts/..%c1%9c../winnt/system32/cmd.exe
~/scripts/..%%35%63../winnt/system32/cmd.exe
~/scripts/..%%35c../winnt/system32/cmd.exe
~/scripts/..%25%35%63../winnt/system32/cmd.exe
~/scripts/..%252f../winnt/system32/cmd.exe
~/default.ida

Am I right that none of these http requests would be flagged by the defeault
Snort rules as an attack?  The above is just about identical to the original
CERT advisory for Nimda.

Am I missing something?  If not, some questions about rule creation:
1) How do I assign sids to my rules?  Do I just use the next available id?
2) If I was creating rules for the above signature, would I create one rule
for each of the above?  Or should I just create three rules (root.exe,
cmd.exe and default.ida)?

Thanks in advance.

Joe


-----Original Message-----
From: Nigel Houghton [mailto:nigel.houghton at ...435...]
Sent: Tuesday, May 27, 2003 8:10 PM
To: Joe Kinsella
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Nimda




More information about the Snort-sigs mailing list