[Snort-users] Nimda Rules
cpw at ...440...
Wed Sep 19 18:58:02 EDT 2001
On Wed, Sep 19, 2001 at 06:03:17PM -0600, Rich Adamson wrote:
> > I have used these two successfully.
> > Note: I got these off another list, I can't remember who posted them,
> > but they work.
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"CONCEPT ATTEMPT";
> > uricontent:"c+dir"; nocase; flags:A+; classtype:attempted-admin;
> > rev:1;)
> > alert tcp any any -> $HOME_NET 25 (msg:"Possible CONCEPT Worm Email
> > Attachment"; content: "readme.exe"; nocase; flags:A+;)
You will find this alot in just plain email discussing this. In fact,
your snort should trigger on this email %^)
> This second rule seems to trip on every inbound email regardless of
> whether "readme.exe" exists or not. Any thoughts on what I might be
> doing wrong?
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Phil Wood, cpw at ...440...
More information about the Snort-users