[Snort-users] Nimda Rules

Rich Adamson radamson at ...2127...
Wed Sep 19 16:07:02 EDT 2001

> I have used these two successfully.  
> Note: I got these off another list, I can't remember who posted them,
> but they work.
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT";
> uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin;
> rev:1;)
> alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email
> Attachment"; content: "readme.exe"; nocase; flags:A+;)

This second rule seems to trip on every inbound email regardless of
whether "readme.exe" exists or not. Any thoughts on what I might be
doing wrong?


More information about the Snort-users mailing list