|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Ryan Russell (ryan
securityfocus.com)Date: Wed Feb 06 2002 - 12:49:19 CST
On Wed, 6 Feb 2002 bthalerwebstream.net wrote:
> Is anyone using a snort rule to detect *local* infections of codered, nimda,
> etc?
>
> I tried:
> alert tcp x.x.x.x any -> any 80 (msg:"***LOCAL CODERED INFECTION***";
> content:"/cmd.exe"; nocase;)
CodeRed.b is the only active one out there at the moment. It doesn't
contain the string "cmd.exe". That was Codered II (CodeRed.c and
CodeRed.d).
>
> but this doesn't seem to work.
>
> I tested it by trying to access www.yahoo.com/cmd.exe, which should throw a
> false positive.
From that IP address, obviously, yes?
>
> Is my testing flawed, or the rule, or both?
Where did you put the rule, and did you restart Snort?
Ryan
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]