No subject


Thu Nov 23 16:34:03 EST 2017


alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content:
"|0001|"; offset:0; depth:2; content:"admin.dll"; offset:2; nocase;
classtype:successful-admin;
reference:url,www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;)

also pertains to the attempt to spread infection.

Further information can be found at:

http://www.snort.org/snort-db/sid.html?sid=1284
http://www.snort.org/snort-db/sid.html?sid=1290


On Tue, 27 May 2003 16:42:00 -0400
Joe Kinsella <jkinsella at ...1541...> said something like:

: I'm new to snort so please forgive me if I am re-treading old ground. 
I've
: installed Snort 2.0 on my IIS web server.  My web server is also
running
: URLScan to reject specific attacks.  One of the attacks I see
frequently
: rejected is Nimda (http://www.cert.org/advisories/CA-2001-26.html). 
Snort
: did not flag these HTTP requests as attacks - and I scanned the rule
files
: for a rule that looks like it would have caught Nimda.  Since this
worm has
: been around so long, I am assuming a rule MUST be available for this.
: 
: Advice is appreciated.
: 
: Joe
: 
: 
: 
: 
: -------------------------------------------------------
: This SF.net email is sponsored by: ObjectStore.
: If flattening out C++ or Java code to make your application fit in a
: relational database is painful, don't do it! Check out ObjectStore.
: Now part of Progress Software. http://www.objectstore.net/sourceforge
: _______________________________________________
: Snort-sigs mailing list
: Snort-sigs at lists.sourceforge.net
: https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------------
Nigel Houghton       Security Engineer        Sourcefire Inc.

"I have read of a place where humans do battle in a ring of Jell-O."




More information about the Snort-sigs mailing list