From owner-freebsd-security Tue Sep 18 14:31:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f143.law11.hotmail.com [64.4.17.143]) by hub.freebsd.org (Postfix) with ESMTP id 53D4F37B40C for ; Tue, 18 Sep 2001 14:31:47 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 18 Sep 2001 14:31:47 -0700 Received: from 155.58.130.26 by lw11fd.law11.hotmail.msn.com with HTTP; Tue, 18 Sep 2001 21:31:46 GMT X-Originating-IP: [155.58.130.26] From: "Derek O'Flynn" To: freebsd-security@freebsd.org Subject: NIMDA Virus Date: Tue, 18 Sep 2001 16:31:46 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 18 Sep 2001 21:31:47.0115 (UTC) FILETIME=[51DBEFB0:01C14089] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone successfully written a rule for snort to alert to this? I'm currently running snort 1.8 with flex-resp. I would like to have a rule that identifies the attacks and then sends the tcp_rst command so that the worm can't infect new machines. I have the information for the rule, just need to know what to put in the content field to verify that it is nimda. Thanks, Derek O'Flynn _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message