[Snort-users] DOS rules for Nimda
cmg at ...1935...
Thu Sep 26 07:07:02 EDT 2002
"Richard Ellerbrock" <richarde at ...6992...> writes:
> I am trying to help a very large site that is being killed by denial of
> service due to a large number of MS type workstations infected by Nimda.
> The standard snort rules are no good as no connection is actually made,
> just a HUGE SYN flood looking for open Web servers to infect. Traffic
> looks like this:
The easiest way to detect this is by saying
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg: "OUTGOING cmd.exe";
because eventually one of these will do the probing.
Chris Green <cmg at ...1935...>
Warning: time of day goes back, taking countermeasures.
More information about the Snort-users