Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort signature for new CodeRed varient

From: "David Brown" <dbrown () echoice com au>
Date: Sun, 5 Aug 2001 17:00:35 +1000
Joe,
Just tried the Snort sig  (1.7) and it did'nt pick up the latest CodeRedII
scan ?Snort reported it as IDS552 and the packet dump was a CodeRedII
packet.
Here is the snort rule agn:
alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content:
"|46309a02 0000e80a 0000
0043 6f646552 65644949 008b1c24 ff55d866 0bc00f95|"; depth:624;)

Any ideas what I've done wrong ??

Rgds,

Dave


----- Original Message -----
From: "J Moll" <jmoll-lists () my-mbox com>
To: <incidents () securityfocus com>
Sent: Sunday, August 05, 2001 4:21 PM
Subject: snort signature for new CodeRed varient



All:

I'm using this Snort signature to distinguish between the original and

recent

varient of CodeRed.  I'm sure it can be optimized -- grabbed a bit of the
binary around the text "CodeRedII" in the packet to cut down on false
alarms.. putting it out so folks can log the differences.


alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+;

content:

"|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24
ff55d866 0bc00f95|"; depth:624;)


Best Regards,
Joe Moll

--
Joseph L. Moll, CISSP -- jmoll () autoproxy com

--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: