Security Incidents mailing list archives
Re: snort signature for new CodeRed varient
From: Joe Moll <jmoll () autoproxy com>
Date: Sun, 5 Aug 2001 19:20:07 -0700
We figured this one out offline.. was an order issue in the ruleset. Best Regards, Joe Moll On Sunday 05 August 2001 00:00, David Brown wrote:
Joe, Just tried the Snort sig (1.7) and it did'nt pick up the latest CodeRedII scan ?Snort reported it as IDS552 and the packet dump was a CodeRedII packet. Here is the snort rule agn: alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content: "|46309a02 0000e80a 0000 0043 6f646552 65644949 008b1c24 ff55d866 0bc00f95|"; depth:624;) Any ideas what I've done wrong ?? Rgds, Dave ----- Original Message ----- From: "J Moll" <jmoll-lists () my-mbox com> To: <incidents () securityfocus com> Sent: Sunday, August 05, 2001 4:21 PM Subject: snort signature for new CodeRed varientAll: I'm using this Snort signature to distinguish between the original andrecentvarient of CodeRed. I'm sure it can be optimized -- grabbed a bit of the binary around the text "CodeRedII" in the packet to cut down on false alarms.. putting it out so folks can log the differences. alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+;content:"|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24 ff55d866 0bc00f95|"; depth:624;) Best Regards, Joe Moll -- Joseph L. Moll, CISSP -- jmoll () autoproxy com ------------------------------------------------------------------------- ---This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com--------------------------------------------------------------------------- - This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- snort signature for new CodeRed varient J Moll (Aug 04)
- Re: snort signature for new CodeRed varient David Brown (Aug 05)
- Re: snort signature for new CodeRed varient Joe Moll (Aug 05)
- Re: snort signature for new CodeRed varient David Brown (Aug 05)