Re: local codered infection

[<bthaler () webstream net>]

Actually, the content string in the rule is just semantics at this point.
The problem was that my other rules were being triggered first, so I moved
this to the top of the ruleset, and everything's fine.

Thanks for your help.







Sincerely,

Brad T.






----- Original Message -----
From: "Ryan Russell" <ryan () securityfocus com>
To: "Phil Wood" <cpw () lanl gov>
Cc: <bthaler () webstream net>; <snort-users () lists sourceforge net>
Sent: Wednesday, February 06, 2002 3:30 PM
Subject: Re: [Snort-users] local codered infection


> On Wed, 6 Feb 2002, Phil Wood wrote:
>
> > > CodeRed.b is the only active one out there at the moment.  It doesn't
> > > contain the string "cmd.exe".  That was Codered II (CodeRed.c and
> > > CodeRed.d).
> >
> > For what it's worth, I saw 113,281 WEB-IIS cmd.exe accesses yesterday.
>
> I should have said "the only active Code Red out there at the moment."
> Yours would be Nimda, and possibly a few Sadmind and manual attempts.  The
> original poster was only asking about Code Red, but Nimda is certainly
> worth mentioning in this context.  Sorry for the omission.
>
> Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users