RE: Nimda Worm Mitigation: Snort

From: Kain X (kainat_private)
Date: Tue Sep 18 2001 - 23:26:11 PDT

Next message: vitalyat_private: "W32.Nimda disassembly/analysis"

Previous message: Henrik Pedersen: "Re: MIME type of readme.eml (was Re: New "concept" virus/worm?"
In reply to: Jason Lewis: "RE: Nimda Worm Mitigation"
Next in thread: Jason Lewis: "FW: Nimda Worm Mitigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2001-09-18 at 20:52, Jason Lewis wrote:
> Anyone doing anything different?
> 
> How about something that tails an apache log file and adds ipchains rules to
> kill infected IP's? Anyone want to write it?
Here are some snort rules you can trigger on.  I didn't write them; I
haven't tested them. These may not even be complete.  I found them on
http://www.sli.mine.ru/ .  Have fun.
-- 
All programmers are playwrights and all computers are lousy actors.
**
Penguin Farmer
Bryon Roche, Kain <kainat_private>
<kainat_private>


alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Nimda worm attempt"; uricontent:"readme.eml"; flags:A+;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"Nimda worm attempt"; content:"|2e6f70656e2822726561646d652e652e656d6c|"; flags:A+;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"Nimda worm attempt"; content:"|6e616d653d22726561646d652e65786522|"; flags:A+;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"Nimda worm attempt"; content:"|6e616d653d22726561646d652e65786522|";  flags:A+;)

application/pgp-signature attachment: stored

Next message: vitalyat_private: "W32.Nimda disassembly/analysis"
Previous message: Henrik Pedersen: "Re: MIME type of readme.eml (was Re: New "concept" virus/worm?"
In reply to: Jason Lewis: "RE: Nimda Worm Mitigation"
Next in thread: Jason Lewis: "FW: Nimda Worm Mitigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 08:27:06 PDT