Snort mailing list archives

Re: CodeRedII again?

From: Skip Carter <skip () taygeta com>
Date: Wed, 22 Aug 2001 09:13:45 -0700

 Had an warez "attack" on our web/ftp server last two days (thinking of writing some
 rules for detecting it, can be interesting?), and noticed quite some Code Red alerts
 in the logs, the thing I reacted on was that it contained the string "CodeRedII"...
 Anyone knows about this variant?

 btw. does anyone knows if its possible to add more then one "detection-string" to a rule?


   I wouldn't put too much energy in looking for the 'CodeRedII' string, 
yesterday
   we started seeing a variation where that string is replaced with '_________'
   but is otherwise identical.



-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    UUCP:     ...!uunet!taygeta!skip
 Monterey, CA. 93940            WWW: http://www.taygeta.com/skip.html












_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

CodeRedII again? Pontus Joakimsson (Aug 22)
- Re: CodeRedII again? Ryan Russell (Aug 22)
- Re: CodeRedII again? Skip Carter (Aug 22)