[Snort-users] local codered infection

Chip Kelly Chip.Kelly at ...4824...
Wed Feb 6 10:46:08 EST 2002

alert tcp $INTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Local rule: CodeRed v2 root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype:web-application-attack; sid: 1000000; rev:1;)

The only difference between your rule and the one for CodeRed V2 located in WEB-IIS.rules appears to be "content:" versus "uricontent:" -chip

-----Original Message-----
From: bthaler at ...2720... [mailto:bthaler at ...2720...]
Sent: Wednesday, February 06, 2002 1:28 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] local codered infection

Is anyone using a snort rule to detect *local* infections of codered, nimda,

I tried:
alert tcp x.x.x.x any -> any 80 (msg:"***LOCAL CODERED INFECTION***";
content:"/cmd.exe"; nocase;)

but this doesn't seem to work.

I tested it by trying to access www.yahoo.com/cmd.exe, which should throw a
false positive.

Is my testing flawed, or the rule, or both?


Brad T.

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list