Security Basics mailing list archives
RE: New scanner?
From: "newsletters" <listserv () citadelconsulting net>
Date: Mon, 25 Nov 2002 12:51:49 -0500
Regarding the Snort rules conflict, I looked for CodeRed v2 rules on the snort mailing list and found some varying documentation in the list archive. The official documentation does list the following and would appear that this doesn't show proof of a compromise. If this is the case I officially "eat crow" and apologize for the mistake. However, I would never endorse rebuilding a server based on the singular post on a mailing list. I am also somewhat confused about the rule. The syntax shows "established". I assume that this means that connectivity was established, but not what the server response included (i.e. 400, 500, or 200). If Jeremy is available it would be nice to hear what his findings were. I appreciate the debate from HC. Without the debate I wouldn't have considered another point of view. CB Link to snort rule# 1256 documentation: http://www.snort.org/snort-db/sid.html?sid=1256 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:7;) -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Monday, November 25, 2002 9:19 AM To: security-basics () securityfocus com Subject: RE: New scanner? A couple of things... First off, it's good that snort is running to catch these things. To CB... "My opinion would be to rebuild the box with all current patches and service packs." Why? Just b/c snort picked up the signatures, doesn't mean that the box was actually compromised...does it? After all, the snort signatures are specific enough to pick up the inbound signatures, but nothing from Jeremy shows what the response codes from IIS are...do they? Jeremy didn't mention anything about the server's responses, nor did he post the web logs. In fact, Jeremy never actually said which web server (if any) he's running! The assumption is that Jeremy is running IIS...and this may actually be the case. However, Jeremy's post has only the snort signature titles, and nothing else. What this shows is that there is still a propensity to make assumptions, not only regarding posts such as Jeremy's, but in incident response investigations, as well. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Current thread:
- RE: New scanner? H C (Nov 25)
- RE: New scanner? newsletters (Nov 25)
- RE: New scanner? H C (Nov 25)
- RE: New scanner? m0use (Nov 26)
- RE: New scanner? H C (Nov 25)
- RE: New scanner? newsletters (Nov 25)
- RE: New scanner? newsletters (Nov 25)
- RE: New scanner? newsletters (Nov 25)