Snort mailing list archives
Re: Re: Definitive Code Red rule
From: Brian Caswell <bmc () mitre org>
Date: Tue, 07 Aug 2001 11:42:46 -0400
Ush wrote:
On Mon, Aug 06, 2001 at 01:38:09PM -0700, Migus, Adam wrote:Ok so there's a thousand emails going around about the Code Red Worm. So what is the definitive rule/signature for snort 1.7 and 1.8 that people are using?I would very much like to know this too. I have the latest ruleset for 1.8 from whitehats, and not a mention of Code Red in there :(
Uh, Yeah. Cause like CODEDRED is like so leet and zero day. And stuff. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; classtype:attempted-admin; reference:cve,CAN-2001-0500; sid:1244; rev:1;) Added to CVS : Wed Jun 20 14:23:44 2001 UTC Added to ArachNIDS : June 21 2001 -- Brian Caswell The MITRE Corporation _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Definitive Code Red rule Migus, Adam (Aug 06)
- Re: Definitive Code Red rule Ush (Aug 07)
- Re: Re: Definitive Code Red rule Brian Caswell (Aug 07)
- RE: Re: Definitive Code Red rule Eric Johansen (Aug 07)
- Re: Re: Definitive Code Red rule Brian Caswell (Aug 07)
- Re: Re: Definitive Code Red rule Brian Caswell (Aug 07)
- Re: Re: Definitive Code Red rule Erek Adams (Aug 07)
- Re: Definitive Code Red rule Ush (Aug 07)
- <Possible follow-ups>
- RE: Re: Definitive Code Red rule Steve Halligan (Aug 07)