Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

CodeRed Snort Rules

From: "CERT-Intexxia" <cert () intexxia com>
Date: Wed, 29 Aug 2001 16:38:16 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
TECHNICAL NOTE                                               INTEXXIA(c)
23 08 2001
________________________________________________________________________
TITLE   : CodeRed Snort Rules
CREDITS : Jean-Pierre Mennella / INTEXXIA
________________________________________________________________________


BACKGROUND
==========

Facing the huge amount of CodeRed Trafic, we needed ,here at Intexxia,
to quickly give statistical informations about all the CodeRed attacks
received on the machines we monitor.

In order to know which CodeRed variant was logged we've written Snort
rules that identify every CodeRed variants.

We have chosen the following CodeRed worms classification :

      - CodeRedI        : the one with ' /default.ida?NNN '
      - CodeRedII       : the one with ' /default.ida?XXX '
      - CodeRedII - New : the one with ' /default.ida?XXX '
                                   and ' _________ '

As others have noticed, we had CodeRed logs that came from proxies
without the '/default.ida?'. These entries are harmless. Even so we
decided to still make rules to isolate these 'attacks' from the
efficient ones. We have used the following terms :

      - CodeRedII - via proxy - Uneffective :
           * with ' XXXXXXXX%u9090%u6858 '
           * and   ' X-Forwarded '



      - CodeRedII - New - via proxy - Uneffective
          * with ' XXXXXXXX%u9090%u6858 '
          * and  ' _________'
          * and  ' X-Forwarded '

We also noticed in our logs real CodeRed attacks that came thru some
proxies. If not looked more closely, these logs might lead to false
conclusions, cause it's not the infected machine that appear leading the
attack,the reallity could not match the logs, depending on your logging
facility. Being able to detect such entry might help to find real
infected hosts. This way you don't waste time trying to identify the
origin of the attack if you don't have more logs to dig thru.
We have used the following terms :

      - CodeRedII - via proxy :
           * same pattern as CodeRedII
           * and ' X-Forwarded '

      - CodeRedII - New - via proxy :
           * same pattern as CodeRedII - NEW
           * and ' X-Forwarded '

________________________________________________________________________


SCOPE - SNORT RULES
===================

CodeRedII New via Proxy
=======================

Snort 1.7
- ---------
alert tcp any any -> any 80 (msg: "CodeRedII Overflow - via Proxy";
content: "|2F646566 61756C74 2E696461 3F585858|";
content: "X-Forwarded"; nocase;)

Snort 1.8
- ---------
alert tcp any any -> any 80 (msg: "RST SENT - CodeRedII Overflow - via
Proxy"; content: "|2F646566 61756C74 2E696461 3F585858|";
content: "X-Forwarded"; nocase; resp:rst_snd;)

- ------------------------------------------------------------------------

CodeRedII New - via Proxy - Uneffective
=======================================

Snort 1.7
- ---------
alert tcp any any -> any 80 (msg: "CodeRedII Overflow
via Proxy - Uneffective"; content: "XXXXXXXX%u9090%u6858";
content: "X-Forwarded"; nocase;)

Snort 1.8
- ---------
alert tcp any any -> any 80 (msg: "RST SENT - CodeRedII Overflow
via Proxy - Uneffective"; content: "XXXXXXXX%u9090%u6858";
content: "X-Forwarded"; nocase; resp:rst_snd;)

- ------------------------------------------------------------------------

CodeRedII New
=============

Snort 1.7
- ---------
alert tcp any any -> any 80 (msg: "CodeRedII Overflow - NEW";
dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F585858|";
content: "|5F5F5F5F 5F5F5F5F|"; depth:610;)

Snort 1.8
- ---------
alert tcp any any -> any 80 (msg: "RST SENT - CodeRedII Overflow - NEW";
dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 585858|";
content:"|5F5F5F5F 5F5F5F5F|"; depth:610; resp:rst_snd;)

- ------------------------------------------------------------------------

CodeRedII - via Proxy
=====================

Snort 1.7
- ---------
alert tcp any any -> any 80 (msg: "CodeRedII Overflow -
via Proxy"; content: "|2F646566 61756C74 2E696461 3F585858|";
content: "X-Forwarded"; nocase;)

Snort 1.8
- ---------
alert tcp any any -> any 80 (msg: "RST SENT - CodeRed2 Overflow -
via Proxy"; content: "|2F646566 61756C74 2E696461 3F585858|";
 content: "X-Forwarded"; nocase; resp:rst_snd;)

- ------------------------------------------------------------------------


CodeRedII - via Proxy - Uneffective
=====================================

Snort 1.7
- ---------
alert tcp any any -> any 80 (msg: "CodeRedII Overflow - via Proxy -
Uneffective"; content: "XXXXXXXX%u9090%u6858";
content: "X-Forwarded"; nocase;)

Snort 1.8
- ---------
alert tcp any any -> any 80 (msg: "RST SENT - CodeRedII Overflow -
via Proxy -  Uneffective"; content: "XXXXXXXX%u9090%u6858";
content: "X-Forwarded"; nocase; resp:rst_snd;)

- ------------------------------------------------------------------------


CodeRed II
==========

Snort 1.7
- ---------
alert tcp any any -> any 80 (msg: "CodeRedII Overflow";
dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F585858|";
depth:64;)


Snort 1.8
- ---------
alert tcp any any -> any 80 (msg: "RST SENT - CodeRedII Overflow";
dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F585858|";
depth:64; resp:rst_snd;)

- ------------------------------------------------------------------------


CodeRedI - via Proxy
=====================

Snort 1.7
- ---------
alert tcp any any -> any 80 (msg: "CodeRedII Overflow -
via Proxy"; content: "|2F646566 61756C74 2E696461 3F585858|";
content: "X-Forwarded"; nocase;)

Snort 1.8
- ---------
alert tcp any any -> any 80 (msg: "RST SENT - CodeRed2 Overflow -
via Proxy"; content: "|2F646566 61756C74 2E696461 3F4E4E4E|";
 content: "X-Forwarded"; nocase; resp:rst_snd;)

- ------------------------------------------------------------------------


CodeRedI - via Proxy - Uneffective
=====================================

Snort 1.7
- ---------
alert tcp any any -> any 80 (msg: "CodeRedI Overflow - via Proxy -
Uneffective"; content: "NNNNNNNN%u9090%u6858";
content: "X-Forwarded"; nocase;)

Snort 1.8
- ---------
alert tcp any any -> any 80 (msg: "CodeRedII Overflow - via Proxy -
Uneffective"; content: "NNNNNNNN%u9090%u6858";
content: "X-Forwarded"; nocase; resp:rst_snd;)

- ------------------------------------------------------------------------


CodeRedI
========

Snort 1.7
- ---------
alert tcp any any -> any 80 (msg: "CodeRedI Overflow";
dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|";
depth:64;)

Snort 1.8
- ---------
alert tcp any any -> any 80 (msg: "RST SENT - CodeRedI Overflow";
dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|";
depth:64; resp:rst_snd;)

- ------------------------------------------------------------------------

________________________________________________________________________


SCOPE - HOW TO
==============

IMPORTANT NOTE : You should consider using these rules in the order
given above, to have them working efficiently. You also may consider
placing them in a specific .rules file that will be the first to be
read.

You just need to cut and paste the rules to your appropriate '.rules'
file. If you use the rules as given you might need to add some '\' at
the end of each line. Then reload your snort conf.

We're using these rules with snort 1.8.1 and 'till now everything went
fine.

________________________________________________________________________


BIBLIOGRAPHY
============

 * Snort Users Manual Snort Release : 1.8.1 by Martin Roesch
   - www.snort.org

 * "CodeRed Snort Rules" by Jim Forster
   - Post on SecurityFocus Incidents Mailing List
   - www.securityfocus.com

 * "New CodeRed Variant - CodeRed.d" by Ryan Russell
   - Post on Securityfocus Incidents Mailling List
   - www.securityfocus.com

________________________________________________________________________


ACKNOLEDGEMENTS
===============

Thanks to the Intexxia-Lab Team, for its material and support.


________________________________________________________________________


ABOUT INTEXXIA
==============

Created in 1999, Intexxia is a French IT services company specializing
in data security for enterprise. intexxia provides outsourcing
solutions, based on innovative technology, in three core areas of data
security: security audits, vulnerability management and 24-by-7
security supervision.

Intexxia: managed security services


________________________________________________________________________

CONTACT
=======

cert () intexxia com

INTEXXIA - www.intexxia.com                   Standard : +33 155 694 910
171, av. Georges Clémenceau                        Fax : +33 155 697 880
92024 Nanterre Cedex - FRANCE


________________________________________________________________________


DISCLAIMER
==========

Intexxia provides these informations as a public service and "as is".
Intexxia will not be held accountable for any damage or distress caused
by the proper or improper usage of these materials.


________________________________________________________________________


COPYRIGHT
=========

(c) Intexxia 2001. This document is property of intexxia. Feel free to
use an ddsitribute this material as long as credit is given to Intexxia
and the author.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO4z+VTbZcT30RF3cEQLqtwCfeCtv0dAzBg9s29HW8pGbRms466IAoN37
vwamoT8vpXuZMkrS1RzMFXkm
=WtmJ
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: