I wrote this signatures:
alert tcp any 110 -> any any (msg:"Virus - Possible Nimda Worm"; content:
"readme.exe"; nocase; sid:12345; rev:1;)
alert tcp any 80 -> any any (msg:"WEB-MISC - Possible Nimda Worm"; content:
"readme.exe"; nocase; sid:12346; rev:1;)
I'm testing now.
Luis Enrique Londono
----- Original Message -----
From: ragu nandan <[EMAIL PROTECTED]>
To: John Steniger <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 2:02 PM
Subject: Re: FW: [Snort-users] New worm, dubbed Nimda
> We got affected. ANybosy has released a signature?
>
>
> --- John Steniger <[EMAIL PROTECTED]> wrote:
> > Thought this might be useful to members of this
> > list. This probably
> > explains what we are all seeing.
> >
> >
> > John J. Steniger
> >
> > -----Original Message-----
> > From: Tom Sevy [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, September 18, 2001 12:17 PM
> > To: Snort-Users eMail List
> > ([EMAIL PROTECTED])
> > Subject: [Snort-users] New worm, dubbed Nimda
> >
> >
> >
> >
> >
> <http:[EMAIL PROTECTED]>
> >
> http:[EMAIL PROTECTED]
> >
> >
> > We are seeing a flood of this...
> >
> > _______________________________________________
> > Firewalls mailing list
> > [EMAIL PROTECTED]
> > http://lists.gnac.net/mailman/listinfo/firewalls
>
>
> __________________________________________________
> Terrorist Attacks on U.S. - How can you help?
> Donate cash, emergency relief information
> http://dailynews.yahoo.com/fc/US/Emergency_Information/
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
