From owner-freebsd-security Tue Sep 18 14:40:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 6084C37B406 for ; Tue, 18 Sep 2001 14:40:08 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA26037; Tue, 18 Sep 2001 15:39:59 -0600 (MDT) Message-Id: <4.3.2.7.2.20010918153412.0493bc10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 18 Sep 2001 15:39:35 -0600 To: "Derek O'Flynn" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: NIMDA Virus In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We just put a log monitor on the Apache server, and are firewalling anything that sends a request with "cmd.exe" in it. Quite effective. --Brett At 03:31 PM 9/18/2001, Derek O'Flynn wrote: >Has anyone successfully written a rule for snort to alert to this? > >I'm currently running snort 1.8 with flex-resp. > >I would like to have a rule that identifies the attacks and then sends the tcp_rst command so that the worm can't infect new machines. I have the information for the rule, just need to know what to put in the content field to verify that it is nimda. > >Thanks, >Derek O'Flynn > > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message