Hosting Provided By

Re: [Snort-sigs] Nimda

From: Brian <bmc(at)snort.org>
Date: Wed May 28 2003 - 11:56:11 EDT

On Wed, May 28, 2003 at 08:52:58AM -0400, Joe Kinsella wrote:
> What I see in my logs on a Nimda attack looks like this:

Snort would have caught all of those.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; flow:to_server,established; reference:arachnids,552; classtype:web-application-activity; reference:cve,CAN-2000-0071; reference:bugtraq,1065; sid:1242;  rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:7;)

-brian

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed May 28 12:36:14 2003

This message: [ Message body ]
Next message: Erek Adams: "Re: [Snort-sigs] dropping traffic"
Previous message: SoloNet Newsfeed Processor: "[Snort-sigs] SID 1882 False Posiitives : "ATTACK-RESPONSES id check returned userid ""
In reply to Joe Kinsella: "RE: [Snort-sigs] Nimda"
Reply: Joel Maslak: "Re: [Snort-sigs] Web service rules"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:29 EDT