Hosting Provided By

Re: [Snort-sigs] Nimda

From: Nigel Houghton <nigel.houghton(at)sourcefire.com>
Date: Tue May 27 2003 - 20:10:21 EDT

>From web-client.rules:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; classtype:attempted-user; sid:1284; reference:url,www.cert.org/advisories/CA-2001-26.html; rev:9;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT readme.eml autoload attempt"; flow:to_client,established; content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; reference:url,www.cert.org/advisories/CA-2001-26.html; rev:8;)

Both these rules pertain to the spread of Nimda.

>From tftp.rules:

alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|0001|"; offset:0; depth:2; content:"admin.dll"; offset:2; nocase; classtype:successful-admin;
reference:url,www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;)

also pertains to the attempt to spread infection.

Do you need help?

Further information can be found at:

http://www.snort.org/snort-db/sid.html?sid=1284 http://www.snort.org/snort-db/sid.html?sid=1290

On Tue, 27 May 2003 16:42:00 -0400
Joe Kinsella <jkinsella@silverbacktech.com> said something like:

: I'm new to snort so please forgive me if I am re-treading old ground.
I've
: installed Snort 2.0 on my IIS web server. My web server is also
running
: URLScan to reject specific attacks. One of the attacks I see
frequently
: rejected is Nimda (http://www.cert.org/advisories/CA-2001-26.html).
Snort
: did not flag these HTTP requests as attacks - and I scanned the rule
files
: for a rule that looks like it would have caught Nimda. Since this
worm has
: been around so long, I am assuming a rule MUST be available for this.

Nigel Houghton Security Engineer Sourcefire Inc.

"I have read of a place where humans do battle in a ring of Jell-O."

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue May 27 20:52:27 2003

This message: [ Message body ]
Next message: Joe Kinsella: "RE: [Snort-sigs] Nimda"
Previous message: Erek Adams: "Re: [Snort-sigs] general sig question"
In reply to Joe Kinsella: "[Snort-sigs] Nimda"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:29 EDT