#
# Rules to catch local infected hosts
#

# one event per source per rule per hour
threshold type limit, track by_src, count 1, seconds 3600

# W32.Nimda
alert tcp $HOME_NET any -> any 80 (msg:"WEB-IIS msdac"; flow: established; uricontent:"/msdac/"; nocase; classtype:bad-unknown; sid:1285; rev:1;)
alert tcp $HOME_NET any -> any 80 (msg:"WEB-IIS _mem_bin"; flow: established; uricontent:"/_mem_bin/"; nocase; classtype:bad-unknown; sid:1286; rev:1;)
alert tcp $HOME_NET any -> any 80 (msg:"WEB-IIS /scripts/"; flow: established; uricontent:"/scripts/"; nocase; classtype:bad-unknown; sid:1287; rev:1;)
alert tcp $HOME_NET any -> any 80 (msg:"WEB-IIS cmd.exe"; flow: established; uricontent:"cmd.exe"; nocase; classtype:attempted-user; sid:1002; rev:1;)

# W32.Sobig
alert udp $HOME_NET any -> any 8998 (msg: "Sobig Download Attempt"; content: "|5c bf 01 29 ca 62 eb f1|"; classtype:trojan-activity; sid: 1000007; rev: 1;)

# W32.Nachi/Welchia
alert icmp $HOME_NET any -> any any (msg: "NACHI/Welchia"; content: "|aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa|"; dsize:64; itype: 8; icode: 0; classtype:trojan-activity; sid: 10000008; rev: 1;)