[Snort-users] DOS rules for Nimda

Chris Green cmg at ...1935...
Thu Sep 26 07:07:02 EDT 2002


"Richard Ellerbrock" <richarde at ...6992...> writes:

> I am trying to help a very large site that is being killed by denial of
> service due to a large number of MS type workstations infected by Nimda.
> The standard snort rules are no good as no connection is actually made,
> just a HUGE SYN flood looking for open Web servers to infect. Traffic
> looks like this:

The easiest way to detect this is by saying

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg: "OUTGOING cmd.exe";
content: "cmd.exe");

because eventually one of these will do the probing.
-- 
Chris Green <cmg at ...1935...>
Warning: time of day goes back, taking countermeasures.





More information about the Snort-users mailing list