From owner-freebsd-security Tue Sep 18 14:37:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 2386B37B409 for ; Tue, 18 Sep 2001 14:37:46 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f8IKXj528527; Tue, 18 Sep 2001 13:33:45 -0700 (PDT) Date: Tue, 18 Sep 2001 13:33:45 -0700 (PDT) From: David Kirchner X-X-Sender: To: "Derek O'Flynn" Cc: Subject: Re: NIMDA Virus In-Reply-To: Message-ID: <20010918133322.R85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Here's what I'm using: FTCBFzaDxAzpRQEAAIl9DGoIjUX0V1Doo2IAAIPEDI1F9MdF9B4AAACJtcT\+\/\/9QjYXA\/v\/\/V1BX The \'s are because this filter is using perl regexp patching. On Tue, 18 Sep 2001, Derek O'Flynn wrote: > Has anyone successfully written a rule for snort to alert to this? > > I'm currently running snort 1.8 with flex-resp. > > I would like to have a rule that identifies the attacks and then sends the > tcp_rst command so that the worm can't infect new machines. I have the > information for the rule, just need to know what to put in the content field > to verify that it is nimda. > > Thanks, > Derek O'Flynn > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message