Security Incidents mailing list archives
RE: Code Red v2 ?
From: "Colby Rice" <crice () 180096hotel com>
Date: Thu, 2 Aug 2001 09:06:29 -0500
Yea, its the dsize flag that causes it. CR -----Original Message----- From: Owen Creger [mailto:OCreger () CreativeSolutions com] Sent: Wednesday, August 01, 2001 1:29 PM To: 'incidents () securityfocus com'; 'focus-ids () securityfocus com' Subject: Code Red v2 ? Snort has been logging numerous web-cgi_http-cgi-pipe attacks. When I look at the captured packets, they are the ida overflow from Code Red Could this be Code Red v2? The original signature is: alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS552/web-iis_IIS ISAPI Overflow ida"; dsize: >239; flags: A+; uricontent: ".ida?"; classtype: system-or-info-attempt; reference: arachnids,552;) Is it possible that the dsize is causing the problem? Owen C. Creger Information Systems Security Creative Solutions Inc. 7322 Newman Blvd. Dexter, MI 48130 ph: 734-426-5860 ex. 3787 cell: 734-223-6270 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red v2 ? Owen Creger (Aug 01)
- <Possible follow-ups>
- RE: Code Red v2 ? Colby Rice (Aug 02)