CRv3?? [was RE: Code Red Rule?]

[Mike Baptiste <baptiste () cc-concepts com>]

Removing the 'default' was a good idea.  I'm not sure if these are Code Red v3 
or some other probe tool, but since 5PM today my web servers have been probed 
about 10 times and the probe is NOT the same as CRv2:

136.176.193.[some#] - - [31/Jul/2001:16:57:45 -0400] "GET /x.ida?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X HTTP/1.1" 404 
280 "-" "-"

[somehost].bradley.edu - - [31/Jul/2001:17:09:40 -0400] "GET /x.ida?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X HTTP/1.1" 404 
211 "-" "-"

Each of my servers gets probed twice by the same infected host, about 2 minutes 
apart.

Just thought I'd pass on the info - this may be something else entirely - I 
tried searching for this signature and came up empty but the various security 
sites are a bit slow tonight (no surprise) and the searches didn't always work.

We'll see how it goes!

Mike


Quoting John Berkers <berjo () ozemail com au>:

> For Snort 1.7 I would suggest content:".ida?";nocase , for snort 1.8
> uricontent:".ida?";nocase
>
> Removing the /default portion of the content makes the signature more
> generic, since in theory the ida overflow could be done via index.ida as
> well.  The ? reduces the number of false alerts as the ? is required to
> produce the overflow.  Finally, the nocase removes any case sensitivity
> the
> rule would otherwise have, which Windows doesn't.  It might also be
> worthwhile to add a dsize: >239; flags A+ as per both Snort and
> Whitehats
> rules to further reduce false positives.
>
> The rule already exists in web-iis.rules from snort CVS since 19 June,
> and
> also in Whitehats vision17.rules and vision18.rules from around the same
> time.
>
> Lets hope all the preparation has paid off!
>
> Regards,
>
> John Berkers
> berjo () ozemail com au
>
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Richard
> Parker
> Sent: Tuesday, 31 July 2001 4:57
> To: Snort-users () lists sourceforge net
> Subject: [Snort-users] Code Red Rule?
>
>
> Hi,
>
> I'm relatively new to snort, could someone comment on this rule for
> catching Code Red?
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Code Red default.ida
> attempt"; flags:PA; content:"GET /default.ida"; nocase;)
>
> Is that right?
>
> TIA
>
> Rich
>
> --
> Richard Parker, Expressive Limited
>
> -> bash luser
> With what? Your bare hands?
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users