Re: NIMDA Virus

From: David Kirchner (davidk@accretivetg.com)
Date: 09/18/01


Date: Tue, 18 Sep 2001 13:33:45 -0700 (PDT)
From: David Kirchner <davidk@accretivetg.com>
To: "Derek O'Flynn" <derekoflynn@hotmail.com>

Here's what I'm using:

FTCBFzaDxAzpRQEAAIl9DGoIjUX0V1Doo2IAAIPEDI1F9MdF9B4AAACJtcT\+\/\/9QjYXA\/v\/\/V1BX

The \'s are because this filter is using perl regexp patching.

On Tue, 18 Sep 2001, Derek O'Flynn wrote:

> Has anyone successfully written a rule for snort to alert to this?
>
> I'm currently running snort 1.8 with flex-resp.
>
> I would like to have a rule that identifies the attacks and then sends the
> tcp_rst command so that the worm can't infect new machines. I have the
> information for the rule, just need to know what to put in the content field
> to verify that it is nimda.
>
> Thanks,
> Derek O'Flynn
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message