[Snort-users] Concept/Nimda Snort 1.8.1 rules

Paul Asadoorian paul.com at ...530...
Tue Sep 18 15:07:02 EDT 2001


All:

I wrote two new rules in an attempt to log this activity at my site:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT";
uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin;  rev:1;)

This rule catches anything that the other rules may miss.  Granted it needs
work and integration into the other IIS rules, but has logged entries and
helped me to idenifty hosts that are infected.

alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email
Attachment"; content: "readme.exe"; nocase; flags:A+;)

The version of sendmail we are running does not allow us to filter by
attachment :-(  I wrote the above rule to log all the email activity, we are
luck to have one mail aggregation point which makes this rule very effective
for finding attachments.

Hope this helps....

Paul Asadoorian, GCIA





More information about the Snort-users mailing list