[Snort-users] Nimda Rules
radamson at ...2127...
Wed Sep 19 16:07:02 EDT 2001
> I have used these two successfully.
> Note: I got these off another list, I can't remember who posted them,
> but they work.
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT";
> uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin;
> alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email
> Attachment"; content: "readme.exe"; nocase; flags:A+;)
This second rule seems to trip on every inbound email regardless of
whether "readme.exe" exists or not. Any thoughts on what I might be
More information about the Snort-users