[Snort-users] Anyone got a sig for SMB Nimda?

Brian bmc at ...950...
Tue Oct 2 06:14:05 EDT 2001


According to Jason Haar:
> If no-one has done it, can someone tell me how to read SMB packets so as to
> write a rule that alerts on any SMB session containing the string
> "readme.exe"?

Robert Graham posted one to FOCUS-IDS a while back.  I've added that
signature and a number of others.  For simplicity, I have attached those 
signatures.  

> [Shouldn't we start a set of "smb.rules"?]

Already exists.  netbios.rules

-- 
You are a very redundant person, that's what kind of person you are.
-------------- next part --------------
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|E|00|M|00|L"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|E|00|M|00|L"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; content:"|00|N|00|W|00|S"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1295; rev:2;)


More information about the Snort-users mailing list