Security Incidents mailing list archives
Re: .ida Intrusion Attempt
From: Stuart Staniford <stuart () silicondefense com>
Date: Thu, 19 Jul 2001 20:48:04 -0700
Russell Fulton wrote:
On Thu, 19 Jul 2001 10:55:10 -0700 (PDT) Joe Smith <shadowm4n () yahoo com> wrote:Interesting. I played around with the rules some, and figured out why snort wasn't finding it with the .ida rule. Since I'm only logging the first 100 bytes of data, the .ida rule misses it because part of the criteria of the rule is for data size to be greater than 239 bytes.Ahh... that explains that! my snort was seeing some '.ida?' probes *but* none of the machines that got hit by the red code worm were logged. The external addresses that were detected by snort appear to be probing random addresses on port 80 -- just like the red worm does. Are there two versions out there?
I've been working on that possibility for the last several hours. Data from Ken Eichman of cas.org at http://www.incidents.org/diary/diary.php show a sudden dramatic increase in the probe rate earlier this morning (US time). This could be consistent with a new version which is spreading much more effectively (possibly because it seeds its random number better). I'm trying to fit this data. If anyone has similar hourly data for the last day or two, or a freshly captured copy of the worm, I'd like to get hold of them. If there is a second version, it looks like it has happened since the Eeye disassembly. I note also that www.whitehouse.gov is still fully accessible, which seems inconsistent with Eeye's prediction as modified by Eric at Symantec (see www.snort.org). I speculate that if there is a second worm, it does something else. Hour # Code Red Worm Scans Scanning During the Hour ------ --------------------- ------------------------- 00 12699 2450 01 13059 2577 02 13272 2590 03 13056 2564 04 13283 2632 05 13229 2612 06 13554 2601 07 13517 2608 08 13746 2685 09 16819 3325 10 36589 7838 11 116083 26823 12 295348 68085 13 466542 103522 14 520973 113451 15 513513 115124 16 513894 90931 -- Stuart Staniford --- President --- Silicon Defense ** Silicon Defense: Technical Support for Snort ** mailto:stuart () silicondefense com http://www.silicondefense.com/ (707) 445-4355 x 16 (707) 445-4222 (FAX) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: .ida Intrusion Attempt, (continued)
- RE: .ida Intrusion Attempt Yom, Francis (Jul 19)
- Re: .ida Intrusion Attempt Dr SuSE (Jul 19)
- Re: .ida Intrusion Attempt bugtraq (Jul 19)
- RE: .ida Intrusion Attempt Colby Rice (Jul 19)
- RE: .ida Intrusion Attempt Tim Winders (Jul 19)
- .ida Intrusion Attempt Joe Smith (Jul 19)
- Re: .ida Intrusion Attempt Martin Roesch (Jul 19)
- Re: .ida Intrusion Attempt Joe Smith (Jul 19)
- Re: .ida Intrusion Attempt Martin Roesch (Jul 19)
- RE: .ida Intrusion Attempt Ulrich Keil (Jul 19)
- Re: .ida Intrusion Attempt Russell Fulton (Jul 19)
- Re: .ida Intrusion Attempt Stuart Staniford (Jul 19)
- Re: .ida Intrusion Attempt E. Larry Lidz (Jul 20)
- Re: .ida Intrusion Attempt Kyle R Maxwell (Jul 20)
- Re: .ida Intrusion Attempt Stuart Staniford (Jul 19)