Snort mailing list archives
RE: Re: Definitive Code Red rule
From: Steve Halligan <agent33 () geeksquad com>
Date: Tue, 7 Aug 2001 11:27:31 -0500
what is the definitive rule/signature for snort 1.7 and1.8 that people areusing?
Uh, Yeah. Cause like CODEDRED is like so leet and zero day. And stuff. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; classtype:attempted-admin; reference:cve,CAN-2001-0500; sid:1244; rev:1;) Added to CVS : Wed Jun 20 14:23:44 2001 UTC Added to ArachNIDS : June 21 2001
I think caz meant msg:"Web-IIS ISAPI .ida attempt"... same CVS date, etc. -steve _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Definitive Code Red rule Migus, Adam (Aug 06)
- Re: Definitive Code Red rule Ush (Aug 07)
- Re: Re: Definitive Code Red rule Brian Caswell (Aug 07)
- RE: Re: Definitive Code Red rule Eric Johansen (Aug 07)
- Re: Re: Definitive Code Red rule Brian Caswell (Aug 07)
- Re: Re: Definitive Code Red rule Brian Caswell (Aug 07)
- Re: Re: Definitive Code Red rule Erek Adams (Aug 07)
- Re: Definitive Code Red rule Ush (Aug 07)
- <Possible follow-ups>
- RE: Re: Definitive Code Red rule Steve Halligan (Aug 07)