RE: CodeRed from non-IIS machines???

[Kevin Brown <Kevin.M.Brown () asu edu>]

What does the rule look like that is catching this behavior.  It is likely
the rule needs to be tuned or altered to reduce the potential number of
false positives.

> I've been learning Snort on the fly attempting to track down
> CodeRed-infected machines here at my university.  
> Unfortunately, we have
> many partially-administered IIS servers on the network.  Fortunately,
> that number is dropping as a result of CodeRed and CodeRed II.
>
> I started seeing some very odd things since getting 1.8.1-beta6 up and
> running on Solaris8 / Ultra5 last night.  What I'm seeing is several
> machines that are NOT Win2k boxes OR running IIS being the sources of
> CodeRed I-style overflows.  All IP's seem to be NT4.0 or 98 
> boxes, some
> of them locked-down lab workstation.  The destination addresses are
> rather odd, as well, being rather popular surfing 
> destinations, such as
> cgi.ebay.com, aolmail.aol.com, www.law8.hotmail.com, and our ISP's
> akamaitech cache, not random, off-the-wall hits and misses like I
> expected.  
>
> I was able to get a peek at one of the machines this morning, and did
> not find anything unusual, although Explorer seemed rather willing to
> segfault rather frequently.  Coming from a UNIX background, I wasn't
> exactly sure where to look for anything nasty, and I was also 
> perplexed
> as this was a lab machine that are pretty neatly locked down (AFAIK).
>
> Has anyone else found anything similar?

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users