RE: IDS296/web-misc_http-whisker-splicing-attack-space

["John Berkers" <berjo () ozemail com au>]

The 'Code Red' or IDA overflow signature is triggered by a number of things.
Firstly it has to have a ".Ida?" in the packet, and the packet
(re-assembled) has to be greater than 239 bytes.

Since the 'Code Red' worm sends its payload in lots of little packets
(similarly to the Whisker script), you will get quite a few matches for
IDS296.

The IDS552 needs the complete stream of packets to get to 239 bytes before
an alert will be triggered.  If anything is preventing one of the subsequent
packets getting through, the IDS552 will not be triggered.

I've been getting similar figures at my end, at least outside of our DMZ,
inside I'm getting very few of IDS296, but a reasonable number of IDS552.

If anybody has any other comments on my understanding of the worm's MO, I'd
like to hear em.

Regards,
John Berkers
berjo () ozemail com au


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of
tnelson () starpoint com
Sent: Saturday, 4 August 2001 7:25
To: Andrew R. Baker
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users]
IDS296/web-misc_http-whisker-splicing-attack-space


Wouldn't it make sense then, that the number of IDS296 attacks ought to be
roughly equal to the number of IDS552 attack detections?  If that is true,
then something is definitely wrong on my end, as I have 570 IDS296's and
only 20 IDS552's today.

Tony





[snip]


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users