Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Problem with Code Red signature

From: "John Berkers" <berjo () ozemail com au>
Date: Mon, 6 Aug 2001 21:41:17 +1000
Your signature looks for /default.ida?NNN which is more specific than the
WEB-IIS ISAPI .ida attempt, but since both signatures fire only on a dsize >
239, they should only fire when they have that much data.  Personally I only
look for .ida?N to distinguish Code Red from a generic attack, I also use
stream4 & reassemble.  I'm also using Whitehats ruleset, augmenting it with
a new rules using local.rules

I don't think stream4 will make a difference in the proportion of the
alerts, but you may find that more are being picked up since I believe that
a type of whisker splicing is being done.  I don't know if this means that
each attempt has an identical sequence of packets or not though.

Do be aware that there is also the new worm 'Code Red II' which uses XXX as
a filler instead of NNN.  Are you positive that the generic .ida? rule is
not firing for these, at least in some of the cases?

Just my thoughts.

Regards,
John Berkers
berjo () ozemail com au


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jyri Hovila
Sent: Monday, 6 August 2001 5:30
To: snort-users () lists sourceforge net
Subject: [Snort-users] Problem with Code Red signature


Hi everyone!

I'm running Snort 1.8 and using the latest ruleset available. I've added
signature for Code Red to local.rules. In snort.conf, I load local.rules
first, and rest of the rule files after it.

When I'm hit by a Code Red attempt, Snort usually reports it correctly.
However, immediately after that, I also get one or more hits of "WEB-IIS
ISAPI .ida attempt". My logs look like this:

Aug 5   20:03:14        my.firewall.box snort[000]:     LOCAL Code Red
IDA Overflow: 111.222.333.444:1234 -> my.firewall.box:80
Aug 5   20:03:15        my.firewall.box snort[000]:     WEB-IIS ISAPI
.ida attempt: 111.222.333.444:1234 -> my.firewall.box:80
[snip]

Sometimes I get *only* the "WEB-IIS ISAPI .ida attempt"; the Code Red
signature doesn't seem to 'fire' at all. I thought this could mean that
I'm being scanned for the .ida vulnerability by some script kiddie and
not by the Code Red worm, but I checked the log saved in tcpdump format
and it sure looked like a Code Red worm to me. (I'm aware of the new
variant or Code Red, but it wasn't that. There was the 'www.worm.com'
string etc.)

I'm using only the frag2 prerocessor. Could stream4 or
stream4_reassemble fix my problem?

Here is my Code Red signature:

        alert tcp $EXTERNAL_NET any <> $HTTP_SERVERS 80 (msg: "LOCAL
Code Red v1 IDA Overflow"; dsize: >239; flags: A+; content:"|2F646566
61756C74 2E696461 3F4E4E4E|";)

And here's the WEB-IIS ISAPI .ida signature:

        alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS
ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+;
reference:arachnids,552; classtype:attempted-admin; sid:1243; rev:1;)

Thanks! =)

- Jyri


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: