[Snort-users] local codered infection

Ryan Russell ryan at ...35...
Wed Feb 6 10:52:03 EST 2002


On Wed, 6 Feb 2002 bthaler at ...2720... wrote:

> Is anyone using a snort rule to detect *local* infections of codered, nimda,
> etc?
>
> I tried:
> alert tcp x.x.x.x any -> any 80 (msg:"***LOCAL CODERED INFECTION***";
> content:"/cmd.exe"; nocase;)

CodeRed.b is the only active one out there at the moment.  It doesn't
contain the string "cmd.exe".  That was Codered II (CodeRed.c and
CodeRed.d).

>
> but this doesn't seem to work.
>
> I tested it by trying to access www.yahoo.com/cmd.exe, which should throw a
> false positive.



More information about the Snort-users mailing list