RE: New Code Red Variant

["John Davey" <john () davey net au>]

All one line of course

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI
CodeRed II Worm"; uricontent:"|00 00 00 43 6F 64 65 52 65 64 49 49 00 8B
1C 24|"; offset: 560; depth: 16; dsize:>576; flags:A+;
reference:arachnids,552; classtype:attempted-admin; sid:1000001; rev:1;)

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jim Hankins
> Sent: Monday, 6 August 2001 2:14 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] New Code Red Variant
>
>
> Does anyone have a rule for the new code red variant? This one sounds
> UGLY!  I'd be interested in a specific rule and a general rule for the
> vulnerability.  I want to be able to track which is what as I'm getting
> a fair ammount of alerts for IIS type attempts against my machines.
>
>
>
> --
> Jim Hankins
> http://www.hankinsbay.com
> jhankins () hankinsbay com
> 810-716-8480
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users