[Snort-users] Nimda Rules

Lists lists at ...3351...
Wed Sep 19 13:53:03 EDT 2001


I have used these two successfully.  

Note: I got these off another list, I can't remember who posted them,
but they work.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT";
uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin;
rev:1;)

alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email
Attachment"; content: "readme.exe"; nocase; flags:A+;)



Ben Keepper

 






More information about the Snort-users mailing list