[Snort-users] Concept/Nimda Snort 1.8.1 rules

Paul Asadoorian paul.com at ...530...
Tue Sep 18 15:07:02 EDT 2001


I wrote two new rules in an attempt to log this activity at my site:

uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin;  rev:1;)

This rule catches anything that the other rules may miss.  Granted it needs
work and integration into the other IIS rules, but has logged entries and
helped me to idenifty hosts that are infected.

alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email
Attachment"; content: "readme.exe"; nocase; flags:A+;)

The version of sendmail we are running does not allow us to filter by
attachment :-(  I wrote the above rule to log all the email activity, we are
luck to have one mail aggregation point which makes this rule very effective
for finding attachments.

Hope this helps....

Paul Asadoorian, GCIA

More information about the Snort-users mailing list