[Snort-users] local codered infection

bthaler at ...2720... bthaler at ...2720...
Wed Feb 6 10:28:04 EST 2002


Is anyone using a snort rule to detect *local* infections of codered, nimda,
etc?

I tried:
alert tcp x.x.x.x any -> any 80 (msg:"***LOCAL CODERED INFECTION***";
content:"/cmd.exe"; nocase;)

but this doesn't seem to work.

I tested it by trying to access www.yahoo.com/cmd.exe, which should throw a
false positive.

Is my testing flawed, or the rule, or both?





Sincerely,

Brad T.





More information about the Snort-users mailing list