Snort mailing list archives
RE: Problem with Code Red signature
From: "John Berkers" <berjo () ozemail com au>
Date: Mon, 6 Aug 2001 21:41:17 +1000
Your signature looks for /default.ida?NNN which is more specific than the WEB-IIS ISAPI .ida attempt, but since both signatures fire only on a dsize > 239, they should only fire when they have that much data. Personally I only look for .ida?N to distinguish Code Red from a generic attack, I also use stream4 & reassemble. I'm also using Whitehats ruleset, augmenting it with a new rules using local.rules I don't think stream4 will make a difference in the proportion of the alerts, but you may find that more are being picked up since I believe that a type of whisker splicing is being done. I don't know if this means that each attempt has an identical sequence of packets or not though. Do be aware that there is also the new worm 'Code Red II' which uses XXX as a filler instead of NNN. Are you positive that the generic .ida? rule is not firing for these, at least in some of the cases? Just my thoughts. Regards, John Berkers berjo () ozemail com au -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jyri Hovila Sent: Monday, 6 August 2001 5:30 To: snort-users () lists sourceforge net Subject: [Snort-users] Problem with Code Red signature Hi everyone! I'm running Snort 1.8 and using the latest ruleset available. I've added signature for Code Red to local.rules. In snort.conf, I load local.rules first, and rest of the rule files after it. When I'm hit by a Code Red attempt, Snort usually reports it correctly. However, immediately after that, I also get one or more hits of "WEB-IIS ISAPI .ida attempt". My logs look like this: Aug 5 20:03:14 my.firewall.box snort[000]: LOCAL Code Red IDA Overflow: 111.222.333.444:1234 -> my.firewall.box:80 Aug 5 20:03:15 my.firewall.box snort[000]: WEB-IIS ISAPI .ida attempt: 111.222.333.444:1234 -> my.firewall.box:80 [snip] Sometimes I get *only* the "WEB-IIS ISAPI .ida attempt"; the Code Red signature doesn't seem to 'fire' at all. I thought this could mean that I'm being scanned for the .ida vulnerability by some script kiddie and not by the Code Red worm, but I checked the log saved in tcpdump format and it sure looked like a Code Red worm to me. (I'm aware of the new variant or Code Red, but it wasn't that. There was the 'www.worm.com' string etc.) I'm using only the frag2 prerocessor. Could stream4 or stream4_reassemble fix my problem? Here is my Code Red signature: alert tcp $EXTERNAL_NET any <> $HTTP_SERVERS 80 (msg: "LOCAL Code Red v1 IDA Overflow"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|";) And here's the WEB-IIS ISAPI .ida signature: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:attempted-admin; sid:1243; rev:1;) Thanks! =) - Jyri _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problem with Code Red signature Jyri Hovila (Aug 05)
- RE: Problem with Code Red signature John Berkers (Aug 06)
- Evasive RST? George D. Nincehelser (Aug 06)
- Re: Evasive RST? Robert van der Meulen (Aug 06)
- Evasive RST? George D. Nincehelser (Aug 06)
- <Possible follow-ups>
- RE: Problem with Code Red signature Graeme Fowler (Aug 05)
- RE: Problem with Code Red signature Jyri Hovila (Aug 05)
- RE: Problem with Code Red signature John Berkers (Aug 06)