No subject


Thu Nov 23 16:34:03 EST 2017


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT
readme.eml download attempt"; flow:from_client,established;
uricontent:"/readme.eml"; nocase; classtype:attempted-user; sid:1284;
reference:url,www.cert.org/advisories/CA-2001-26.html; rev:9;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
readme.eml autoload attempt"; flow:to_client,established;
content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user;
sid:1290; reference:url,www.cert.org/advisories/CA-2001-26.html; rev:8;)

Both these rules pertain to the spread of Nimda.



More information about the Snort-sigs mailing list