[Snort-users] Nimda Rules

Dr SuSE drsuse at ...748...
Wed Sep 19 17:13:04 EDT 2001


The email rule was written based on early reports that the attached infected 
file was called readme.exe.   I have since learned that the names vary so this 
rule should no longer be considered effective.


> > I have used these two successfully.  
> > 
> > Note: I got these off another list, I can't remember who posted them,
> > but they work.
> > 
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT";
> > uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin;
> > rev:1;)
> > 
> > alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email
> > Attachment"; content: "readme.exe"; nocase; flags:A+;)
> 
> This second rule seems to trip on every inbound email regardless of
> whether "readme.exe" exists or not. Any thoughts on what I might be
> doing wrong?
> 
> Rich
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


"Flush twice....it's a long way to
afghanistan"

---------------------------------------------
Microsoft ist nicht installiert.
http://www.drsuse.org/






More information about the Snort-users mailing list