Nimda Filter reading results

[tls9923]

I have the Nimda Filter running on my network it. has picked up the Nimda Virus running on my network. I am trying to read the capture file to see where the virus is. I am having problems reading it shows the source as my machine but my machine is not infected or showing any signs. How can I read the filter to see where the virus is coming from.

Thanks

Terrel

 

[rcasta]

Is your machine running as http/iis server as well?




I set up Nimbda filter as well by hand (packets with

http://www.worm.com

and default.ida? strings as well) and got good results on finding out infected hosts.

Please give more details.

cheers,

 

[AlexTovar]

Hi guys !

I'm in the need of setting up that filter, could you send instructions ? or, where can I get it ?

Thanks in advance !

Alex

 

[wybnormal]

Alex.. its very easy to config your own filter by setting up a custom filter to look for the string values of NIMBA. You can get these strings from SNORT's sig file And not just for NIMBA.

I can write up instructions but it would be later today.

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu