[Snort-users] Nimda rules that may help

Dr SuSE drsuse at ...748...
Tue Sep 18 12:21:04 EDT 2001

So far this morning we have seen almost 100,000 attempted cmd.exe exploits.
What we have done was comment out the cmd.exe exploit rule and rewrite it so 
that it looks for infected hosts on our internal network attempting to exploit 
external hosts.   Here is the rule:

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 80 (msg:"WEB-IIS cmd.exe Out"; 
flags: A+; content:"cmd.exe"; nocase; classtype:attempted-user;sid
:1002; rev:1;)

Also, Chris Mayor wrote a simple rule to detect an incoming Nimda virus.

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"w32.Nimda worm incoming"; 
flags: A+; content:"|6D 65 3D 22 72 65 61 64 6D 65 2E 65 78 65 22|";)

Microsoft ist nicht installiert.

More information about the Snort-users mailing list