[Snort-users] Nimda Rules
lists at ...3351...
Wed Sep 19 13:53:03 EDT 2001
I have used these two successfully.
Note: I got these off another list, I can't remember who posted them,
but they work.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT";
uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin;
alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email
Attachment"; content: "readme.exe"; nocase; flags:A+;)
More information about the Snort-users