[Snort-users] nimda

Rodney Wise sctech29169 at ...131...
Sun Jul 14 06:19:02 EDT 2002


I get hit all the time with SQL Spida worm and I am
not running a SQL Server at all! It seems reasonable
that he is getting hit with the Nimda scan, but
because it IS looking for an open port 80 it just
moves on.

Rodney Wise


--- "Hicks, John" <JHicks at ...5857...> wrote:
> Nimbda is a hybrid virus composed of both Email and
> Web-Worm componants:
>
http://www.wired.com/news/technology/0,1282,46944,00.html
> 
> hth,
> 
> John
> 
> -----Original Message-----
> From: J. Craig Woods
> [mailto:drjung at ...5405...]
> Sent: Friday, July 12, 2002 4:21 PM
> To: Hugo Ferr; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] nimda
> 
> 
> Hugo Ferr wrote:
> > 
> > I just wonder-we're getting hit by bunch of nimda
> and those e-mails are
> > rejected on our perimeter mail scanner - shouldn't
> I see some activity in
> > snort regarding nimda?
> > (snort 1.8.6)
> > In snort.conf mail scanner is included in home_net
> and snort machine is
> set
> > up to sniff the traffic coming to firewall public
> ip (mail scanner has dmz
> > address nated to public ip by firewall)
> > So again isn't it strange taht I don't see any
> nimda activity in snort
> > sdensor?
> 
> Maybe I am missing something here, and it would not
> be the first nor the
> last time that I missed something but wouldn't your
> mail scanner be
> picking traffic up on port 25? Nimda attacks would
> be on port 80.
> Furthermore, are you saying that the nimda is part
> of the email traffic?
> Not sure what you are saying here. Maybe you could
> elucidate for us...
> 
> drjung
> 
> -- 
> J. Craig Woods
> UNIX Network/System Administration
> http://www.trismegistus.net/resume.html
> Character is built upon the debris of despair
> --Emerson
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Gadgets, caffeine, t-shirts, fun stuff.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Gadgets, caffeine, t-shirts, fun stuff.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com




More information about the Snort-users mailing list