Snort mailing list archives
RE: IDS296/web-misc_http-whisker-splicing-attack-space
From: "John Berkers" <berjo () ozemail com au>
Date: Sat, 4 Aug 2001 18:24:59 +1000
The 'Code Red' or IDA overflow signature is triggered by a number of things. Firstly it has to have a ".Ida?" in the packet, and the packet (re-assembled) has to be greater than 239 bytes. Since the 'Code Red' worm sends its payload in lots of little packets (similarly to the Whisker script), you will get quite a few matches for IDS296. The IDS552 needs the complete stream of packets to get to 239 bytes before an alert will be triggered. If anything is preventing one of the subsequent packets getting through, the IDS552 will not be triggered. I've been getting similar figures at my end, at least outside of our DMZ, inside I'm getting very few of IDS296, but a reasonable number of IDS552. If anybody has any other comments on my understanding of the worm's MO, I'd like to hear em. Regards, John Berkers berjo () ozemail com au -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of tnelson () starpoint com Sent: Saturday, 4 August 2001 7:25 To: Andrew R. Baker Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] IDS296/web-misc_http-whisker-splicing-attack-space Wouldn't it make sense then, that the number of IDS296 attacks ought to be roughly equal to the number of IDS552 attack detections? If that is true, then something is definitely wrong on my end, as I have 570 IDS296's and only 20 IDS552's today. Tony [snip] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS296/web-misc_http-whisker-splicing-attack-space tnelson (Aug 03)
- Re: IDS296/web-misc_http-whisker-splicing-attack-space Andrew R. Baker (Aug 03)
- <Possible follow-ups>
- Re: IDS296/web-misc_http-whisker-splicing-attack-space tnelson (Aug 03)
- RE: IDS296/web-misc_http-whisker-splicing-attack-space John Berkers (Aug 04)