Security Incidents mailing list archives

RE: I will start posting summaries.

From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Wed, 1 Aug 2001 17:37:16 -0400

Jim's rules should catch most, if not all, of the crap that the worm will
throw at you.  Just to be safe, however, I added another rule:

alert tcp any any -> $HTTP_SERVERS 80 (msg:"CodeRed/Index Server - Generic";
content:".ida?";)

This is pretty much guaranteed to catch any future variant of this sorry
little worm.  Of course, you only want to do this if you have *no* use for
these application mappings.

I you use the SNORT Rules Jim Forester posted a bit ago, it 
_should_ get all
variations, yes?
alert tcp any any -> any 80 (msg: "CodeRed Defacement 
Detected"; flags: A+;
content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64;)
alert tcp any any -> any 80 (msg: "CodeRed Overflow Detected"; 
dsize: >239;
flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

I will start posting summaries. Alfred Huger (Aug 01)
- Re: I will start posting summaries. Ken Lyon (Aug 01)
- <Possible follow-ups>
- RE: I will start posting summaries. McCammon, Keith (Aug 01)