Date: Tue, 18 Sep 2001 15:39:35 -0600 From: Brett Glass <brett@lariat.org> To: "Derek O'Flynn" <derekoflynn@hotmail.com>, freebsd-security@FreeBSD.ORG Subject: Re: NIMDA Virus Message-ID: <4.3.2.7.2.20010918153412.0493bc10@localhost> In-Reply-To: <F143IQrttDRdNOUivlQ00013ed8@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
We just put a log monitor on the Apache server, and are firewalling anything that sends a request with "cmd.exe" in it. Quite effective. --Brett At 03:31 PM 9/18/2001, Derek O'Flynn wrote: >Has anyone successfully written a rule for snort to alert to this? > >I'm currently running snort 1.8 with flex-resp. > >I would like to have a rule that identifies the attacks and then sends the tcp_rst command so that the worm can't infect new machines. I have the information for the rule, just need to know what to put in the content field to verify that it is nimda. > >Thanks, >Derek O'Flynn > > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20010918153412.0493bc10>