Re: NIMDA Virus
From: David Kirchner (firstname.lastname@example.org)
- Next message: Brett Glass: "Re: NIMDA Virus"
- Previous message: Eric Anderson: "Re: NIMDA Virus"
- In reply to: Derek O'Flynn: "NIMDA Virus"
- Next in thread: Brett Glass: "Re: NIMDA Virus"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Sep 2001 13:33:45 -0700 (PDT) From: David Kirchner <email@example.com> To: "Derek O'Flynn" <firstname.lastname@example.org>
Here's what I'm using:
The \'s are because this filter is using perl regexp patching.
On Tue, 18 Sep 2001, Derek O'Flynn wrote:
> Has anyone successfully written a rule for snort to alert to this?
> I'm currently running snort 1.8 with flex-resp.
> I would like to have a rule that identifies the attacks and then sends the
> tcp_rst command so that the worm can't infect new machines. I have the
> information for the rule, just need to know what to put in the content field
> to verify that it is nimda.
> Derek O'Flynn
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message