[Snort-users] Nimda Rules

Phil Wood cpw at ...440...
Wed Sep 19 18:58:02 EDT 2001


On Wed, Sep 19, 2001 at 06:03:17PM -0600, Rich Adamson wrote:
> > I have used these two successfully.  
> > 
> > Note: I got these off another list, I can't remember who posted them,
> > but they work.
> > 
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT";
> > uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin;
> > rev:1;)
> > 
> > alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email
> > Attachment"; content: "readme.exe"; nocase; flags:A+;)
                              ^
You will find this alot in just plain email discussing this.  In fact,
your snort should trigger on this email %^)

> 
> This second rule seems to trip on every inbound email regardless of
> whether "readme.exe" exists or not. Any thoughts on what I might be
> doing wrong?
> 
> Rich
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list