Snort mailing list archives
Problem with Code Red signature
From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Sun, 5 Aug 2001 22:30:09 +0300
Hi everyone! I'm running Snort 1.8 and using the latest ruleset available. I've added signature for Code Red to local.rules. In snort.conf, I load local.rules first, and rest of the rule files after it. When I'm hit by a Code Red attempt, Snort usually reports it correctly. However, immediately after that, I also get one or more hits of "WEB-IIS ISAPI .ida attempt". My logs look like this: Aug 5 20:03:14 my.firewall.box snort[000]: LOCAL Code Red IDA Overflow: 111.222.333.444:1234 -> my.firewall.box:80 Aug 5 20:03:15 my.firewall.box snort[000]: WEB-IIS ISAPI .ida attempt: 111.222.333.444:1234 -> my.firewall.box:80 Aug 5 20:03:15 my.firewall.box snort[000]: WEB-IIS ISAPI .ida attempt: 111.222.333.444:1234 -> my.firewall.box:80 Aug 5 20:03:16 my.firewall.box snort[000]: WEB-IIS ISAPI .ida attempt: 111.222.333.444:1234 -> my.firewall.box:80 Sometimes I get *only* the "WEB-IIS ISAPI .ida attempt"; the Code Red signature doesn't seem to 'fire' at all. I thought this could mean that I'm being scanned for the .ida vulnerability by some script kiddie and not by the Code Red worm, but I checked the log saved in tcpdump format and it sure looked like a Code Red worm to me. (I'm aware of the new variant or Code Red, but it wasn't that. There was the 'www.worm.com' string etc.) I'm using only the frag2 prerocessor. Could stream4 or stream4_reassemble fix my problem? Here is my Code Red signature: alert tcp $EXTERNAL_NET any <> $HTTP_SERVERS 80 (msg: "LOCAL Code Red v1 IDA Overflow"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|";) And here's the WEB-IIS ISAPI .ida signature: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:attempted-admin; sid:1243; rev:1;) Thanks! =) - Jyri _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with Code Red signature Jyri Hovila (Aug 05)
- RE: Problem with Code Red signature John Berkers (Aug 06)
- Evasive RST? George D. Nincehelser (Aug 06)
- Re: Evasive RST? Robert van der Meulen (Aug 06)
- Evasive RST? George D. Nincehelser (Aug 06)
- <Possible follow-ups>
- RE: Problem with Code Red signature Graeme Fowler (Aug 05)
- RE: Problem with Code Red signature Jyri Hovila (Aug 05)
- RE: Problem with Code Red signature John Berkers (Aug 06)