Snort mailing list archives
RE: CRv3?? [was RE: Code Red Rule?]
From: Chris Owen <cowen () gt ca>
Date: Tue, 31 Jul 2001 19:32:14 -0400
I believe this is eeye's scanning tool but I could be incorrect. Please verify for yourself. Download the CodeRed Scanner version 2.0 here: http://www.eeye.com/html/Research/Tools/CodeRedScanner.exe (Updated) Chris. -----Original Message----- From: Mike Baptiste [mailto:baptiste () cc-concepts com] Sent: Tuesday, July 31, 2001 3:54 PM To: berjo () ozemail com au; John Berkers Cc: Snort Users List (E-mail) Subject: CRv3?? [was RE: [Snort-users] Code Red Rule?] Removing the 'default' was a good idea. I'm not sure if these are Code Red v3 or some other probe tool, but since 5PM today my web servers have been probed about 10 times and the probe is NOT the same as CRv2: 136.176.193.[some#] - - [31/Jul/2001:16:57:45 -0400] "GET /x.ida? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X HTTP/1.1" 404 280 "-" "-" [somehost].bradley.edu - - [31/Jul/2001:17:09:40 -0400] "GET /x.ida? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X HTTP/1.1" 404 211 "-" "-" Each of my servers gets probed twice by the same infected host, about 2 minutes apart. Just thought I'd pass on the info - this may be something else entirely - I tried searching for this signature and came up empty but the various security sites are a bit slow tonight (no surprise) and the searches didn't always work. We'll see how it goes! Mike Quoting John Berkers <berjo () ozemail com au>:
For Snort 1.7 I would suggest content:".ida?";nocase , for snort 1.8 uricontent:".ida?";nocase Removing the /default portion of the content makes the signature more generic, since in theory the ida overflow could be done via index.ida as well. The ? reduces the number of false alerts as the ? is required to produce the overflow. Finally, the nocase removes any case sensitivity the rule would otherwise have, which Windows doesn't. It might also be worthwhile to add a dsize: >239; flags A+ as per both Snort and Whitehats rules to further reduce false positives. The rule already exists in web-iis.rules from snort CVS since 19 June, and also in Whitehats vision17.rules and vision18.rules from around the same time. Lets hope all the preparation has paid off! Regards, John Berkers berjo () ozemail com au -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Richard Parker Sent: Tuesday, 31 July 2001 4:57 To: Snort-users () lists sourceforge net Subject: [Snort-users] Code Red Rule? Hi, I'm relatively new to snort, could someone comment on this rule for catching Code Red? alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Code Red default.ida attempt"; flags:PA; content:"GET /default.ida"; nocase;) Is that right? TIA Rich -- Richard Parker, Expressive Limited -> bash luser With what? Your bare hands? _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: CRv3?? [was RE: Code Red Rule?] Chris Owen (Jul 31)