Security Incidents mailing list archives
RE: I will start posting summaries.
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Wed, 1 Aug 2001 17:37:16 -0400
Jim's rules should catch most, if not all, of the crap that the worm will throw at you. Just to be safe, however, I added another rule: alert tcp any any -> $HTTP_SERVERS 80 (msg:"CodeRed/Index Server - Generic"; content:".ida?";) This is pretty much guaranteed to catch any future variant of this sorry little worm. Of course, you only want to do this if you have *no* use for these application mappings.
I you use the SNORT Rules Jim Forester posted a bit ago, it _should_ get all variations, yes? alert tcp any any -> any 80 (msg: "CodeRed Defacement Detected"; flags: A+; content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64;) alert tcp any any -> any 80 (msg: "CodeRed Overflow Detected"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;)
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- I will start posting summaries. Alfred Huger (Aug 01)
- Re: I will start posting summaries. Ken Lyon (Aug 01)
- <Possible follow-ups>
- RE: I will start posting summaries. McCammon, Keith (Aug 01)