Snort mailing list archives
RE: New Code Red Variant
From: "John Davey" <john () davey net au>
Date: Mon, 6 Aug 2001 16:01:30 +0930
All one line of course alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI CodeRed II Worm"; uricontent:"|00 00 00 43 6F 64 65 52 65 64 49 49 00 8B 1C 24|"; offset: 560; depth: 16; dsize:>576; flags:A+; reference:arachnids,552; classtype:attempted-admin; sid:1000001; rev:1;)
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jim Hankins Sent: Monday, 6 August 2001 2:14 PM To: snort-users () lists sourceforge net Subject: [Snort-users] New Code Red Variant Does anyone have a rule for the new code red variant? This one sounds UGLY! I'd be interested in a specific rule and a general rule for the vulnerability. I want to be able to track which is what as I'm getting a fair ammount of alerts for IIS type attempts against my machines. -- Jim Hankins http://www.hankinsbay.com jhankins () hankinsbay com 810-716-8480 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- New Code Red Variant Jim Hankins (Aug 05)
- RE: New Code Red Variant John Davey (Aug 05)