Security Incidents mailing list archives
Snort Rules
From: "Jim Forster" <jforster () rapidnet com>
Date: Wed, 1 Aug 2001 09:18:56 -0600
Not sure if this will be of use to anyone on the list, but figured now is a good time to post 'em. :) The following rules work with Snort 1.7+ This one being the most generic to catch .ida overflows- alert tcp any any -> any 80 (content: ".ida?"; dsize: >239; msg: "Generic ida ISAPI Overflow"; flags: A+; nocase;) These are more specific in their detection- alert tcp any any -> 198.137.240.91 80 (msg:"Possible CodeRed Infection - Whitehouse connection";) alert tcp any any -> any 80 (msg: "CodeRed Defacement Detected"; flags: A+; content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64;) alert tcp any any -> any 80 (msg: "CodeRed Overflow Detected"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;) alert tcp any any -> any 80 (msg: "Eeye Scanner for CodeRed"; dsize: >239; flags: A+; content:"|2F782e69 64613f41 41414141|"; depth:64;) I have compiled Snort 1.8 with FlexResponse, and am using these rules to dump the packets as they hit. alert tcp any any -> any 80 (msg: "RESET SENT - CodeRed Defacement"; flags: A+; content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64; resp:rst_snd;) alert tcp any any -> any 80 (msg: "RESET SENT - CodeRed Overflow"; dsize:
239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;
resp:rst_snd;) alert tcp any any -> any 80 (msg: "RESET SENT - Eeye Scanner"; dsize: >239; flags: A+; content:"|2F782e69 64613f41 41414141|"; depth:64; resp:rst_snd;) Jim Forster Network Administrator RapidNet, A Golden West Company -------------------------------------------------------- http://www.snort.org
Attachment:
smime.p7s
Description:
Current thread:
- Snort Rules Jim Forster (Aug 01)
- Netcat Capture.. Ken Pfeil (Aug 01)