[Snort-users] local codered infection

bthaler at ...2720... bthaler at ...2720...
Wed Feb 6 10:59:14 EST 2002


The rule is in local.rules along with my other codered rules.

I just realized that it is *below* the other codered rules, which is
probably the problem.

Yes, I did restart snort.





Sincerely,

Brad T.
Technical Support
WebStream Internet Solutions

brad at ...2720...
http://www.webstream.net
(888) 932-2333 Toll-Free
(954) 730-7127 Local
(954) 733-7067 Fax
(954) 730-7405 Help Desk

*******************Internet Email Confidentiality Footer*******************

This communication contains proprietary business information and
may contain confidential information. If the reader of this
message is not the intended recipient, or the employee or agent
responsible to deliver it to the intended recipient, you are
hereby notified that any dissemination, distribution or copying of
this communication is strictly prohibited. If you have received
this communication in error, please immediately destroy, discard,
or erase this communication.




----- Original Message -----
From: "Ryan Russell" <ryan at ...35...>
To: <bthaler at ...2720...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Wednesday, February 06, 2002 1:49 PM
Subject: Re: [Snort-users] local codered infection


> On Wed, 6 Feb 2002 bthaler at ...2720... wrote:
>
> > Is anyone using a snort rule to detect *local* infections of codered,
nimda,
> > etc?
> >
> > I tried:
> > alert tcp x.x.x.x any -> any 80 (msg:"***LOCAL CODERED INFECTION***";
> > content:"/cmd.exe"; nocase;)
>
> CodeRed.b is the only active one out there at the moment.  It doesn't
> contain the string "cmd.exe".  That was Codered II (CodeRed.c and
> CodeRed.d).
>
> >
> > but this doesn't seem to work.
> >
> > I tested it by trying to access www.yahoo.com/cmd.exe, which should
throw a
> > false positive.
>
> >From that IP address, obviously, yes?
>
> >
> > Is my testing flawed, or the rule, or both?
>
> Where did you put the rule, and did you restart Snort?
>
> Ryan
>
>





More information about the Snort-users mailing list