Snort mailing list archives
Problem with Code Red signature
From: "Jyri Hovila" <jyri.hovila () iki fi>
Date: Sun, 5 Aug 2001 22:30:09 +0300
Hi everyone!
I'm running Snort 1.8 and using the latest ruleset available. I've added
signature for Code Red to local.rules. In snort.conf, I load local.rules
first, and rest of the rule files after it.
When I'm hit by a Code Red attempt, Snort usually reports it correctly.
However, immediately after that, I also get one or more hits of "WEB-IIS
ISAPI .ida attempt". My logs look like this:
Aug 5 20:03:14 my.firewall.box snort[000]: LOCAL Code Red
IDA Overflow: 111.222.333.444:1234 -> my.firewall.box:80
Aug 5 20:03:15 my.firewall.box snort[000]: WEB-IIS ISAPI
.ida attempt: 111.222.333.444:1234 -> my.firewall.box:80
Aug 5 20:03:15 my.firewall.box snort[000]: WEB-IIS ISAPI
.ida attempt: 111.222.333.444:1234 -> my.firewall.box:80
Aug 5 20:03:16 my.firewall.box snort[000]: WEB-IIS ISAPI
.ida attempt: 111.222.333.444:1234 -> my.firewall.box:80
Sometimes I get *only* the "WEB-IIS ISAPI .ida attempt"; the Code Red
signature doesn't seem to 'fire' at all. I thought this could mean that
I'm being scanned for the .ida vulnerability by some script kiddie and
not by the Code Red worm, but I checked the log saved in tcpdump format
and it sure looked like a Code Red worm to me. (I'm aware of the new
variant or Code Red, but it wasn't that. There was the 'www.worm.com'
string etc.)
I'm using only the frag2 prerocessor. Could stream4 or
stream4_reassemble fix my problem?
Here is my Code Red signature:
alert tcp $EXTERNAL_NET any <> $HTTP_SERVERS 80 (msg: "LOCAL
Code Red v1 IDA Overflow"; dsize: >239; flags: A+; content:"|2F646566
61756C74 2E696461 3F4E4E4E|";)
And here's the WEB-IIS ISAPI .ida signature:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS
ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+;
reference:arachnids,552; classtype:attempted-admin; sid:1243; rev:1;)
Thanks! =)
- Jyri
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with Code Red signature Jyri Hovila (Aug 05)
- RE: Problem with Code Red signature John Berkers (Aug 06)
- Evasive RST? George D. Nincehelser (Aug 06)
- Re: Evasive RST? Robert van der Meulen (Aug 06)
- Evasive RST? George D. Nincehelser (Aug 06)
- <Possible follow-ups>
- RE: Problem with Code Red signature Graeme Fowler (Aug 05)
- RE: Problem with Code Red signature Jyri Hovila (Aug 05)
- RE: Problem with Code Red signature John Berkers (Aug 06)