Snort mailing list archives
RE: Re: Definitive Code Red rule
From: "Eric Johansen" <eric.johansen () reliastar com>
Date: Tue, 7 Aug 2001 10:59:57 -0500
Uh...isn't codered an .IDA attempt and not .IDQ? I don't think the rule you posted will do much good for codered. :) -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Brian Caswell Sent: Tuesday, August 07, 2001 10:43 AM To: Ush Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Re: Definitive Code Red rule Ush wrote:
On Mon, Aug 06, 2001 at 01:38:09PM -0700, Migus, Adam wrote:Ok so there's a thousand emails going around about the Code Red Worm. So what is the definitive rule/signature for snort 1.7 and 1.8 that people are using?I would very much like to know this too. I have the latest ruleset for
1.8 from whitehats, and not a mention of Code Red in there :(
Uh, Yeah. Cause like CODEDRED is like so leet and zero day. And stuff. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; classtype:attempted-admin; reference:cve,CAN-2001-0500; sid:1244; rev:1;) Added to CVS : Wed Jun 20 14:23:44 2001 UTC Added to ArachNIDS : June 21 2001 -- Brian Caswell The MITRE Corporation _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Definitive Code Red rule Migus, Adam (Aug 06)
- Re: Definitive Code Red rule Ush (Aug 07)
- Re: Re: Definitive Code Red rule Brian Caswell (Aug 07)
- RE: Re: Definitive Code Red rule Eric Johansen (Aug 07)
- Re: Re: Definitive Code Red rule Brian Caswell (Aug 07)
- Re: Re: Definitive Code Red rule Brian Caswell (Aug 07)
- Re: Re: Definitive Code Red rule Erek Adams (Aug 07)
- Re: Definitive Code Red rule Ush (Aug 07)
- <Possible follow-ups>
- RE: Re: Definitive Code Red rule Steve Halligan (Aug 07)