On Tue, 18 Sep 2001, ? wrote:
> I wrote this signatures:
>
> alert tcp any 110 -> any any (msg:"Virus - Possible Nimda Worm"; content:
> "readme.exe"; nocase; sid:12345; rev:1;)
> alert tcp any 80 -> any any (msg:"WEB-MISC - Possible Nimda Worm"; content:
> "readme.exe"; nocase; sid:12346; rev:1;)
If you can get to snort.org, there is an updated ruleset for snort that
catches most (if not all) of the IIS attacks. I've got it running, and
I'm uploading the data to aris.securityfocus.com regularly.
--
Sapere aude
My mind not only wanders, it sometimes leaves completely.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
