Re: .ida Intrusion Attempt

From: Martin Roesch (roeschat_private)
Date: Thu Jul 19 2001 - 10:11:54 PDT

Next message: corecode: "Re: Full analysis of the .ida "Code Red" worm."

Previous message: Eric Chien: "RE: "Code Red" worm questions"
Next in thread: Dr SuSE: "Re: .ida Intrusion Attempt"
Reply: Joe Smith: "Re: .ida Intrusion Attempt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That's a rule ordering issue, I'm pretty sure we fixed that one in
1.8-RELEASE...

    -Marty

Joe Smith wrote:
> 
> Hey all,
> 
> Just got this .ida attack on my sensors.  This is
> cute, how it splits the GET from the default.ida?
> query.
> 
> Please note that while snort did detect it, it wasn't
> detected by the .ida rule.  Instead, it detected
> it as a whisker splice attack.
> 
> alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:
> "IDS415/web-misc_http-whisker-splicing-attack-tab";
> dsize: <5; flags: A+; content: "|09|"; classtype:
> suspicious; reference: arachnids,415;)
> 
> alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:
> "IDS552/web-iis_IIS ISAPI Overflow ida"; dsize: >239;
> flags: A+; uricontent: ".ida?"; classtype:
> system-or-info-attempt; reference: arachnids,552;)
> 
> I'm guessing that once snort found a match with
> whisker, it stopped looking for other matches.
> 
> I've included the relavent frames for your review.
> 
> 63.241.137.194-attacker        my.poor.website
>   HTTP     GET
> Frame 4 (60 on wire, 60 captured)
> Ethernet II
> Internet Protocol
> Transmission Control Protocol, Src Port: 21500
> (21500), Dst Port: 80 (80), Seq: 3988343872, Ack:
> 2181442487
> Hypertext Transfer Protocol
> 
>    0  00d0 b790 dd6f 0002 1724 4800 0800 4500
> .....o...$H...E.
>   10  002c 105a 4000 7206 9c64 3ff1 89c2 3f59
> .,.Z@.r..d?...?Y
>   20  5301 53fc 0050 edb9 4c40 8206 2bb7 5018
> S.S..P..L@..+.P.
>   30  40b0 3ba1 0000 4745 5420 0000
> @.;...GET ..
> 
> 63.241.137.194-attacker        my.poor.website
>    HTTP     Continuation
> Frame 5 (1434 on wire, 100 captured)
> Ethernet II
> Internet Protocol
> Transmission Control Protocol, Src Port: 21500
> (21500), Dst Port: 80 (80), Seq: 3988343876, Ack:
> 2181442487
> Hypertext Transfer Protocol
> 
>    0  00d0 b790 dd6f 0002 1724 4800 0800 4500
> .....o...$H...E.
>   10  058c 105b 4000 7206 9703 3ff1 89c2 3f59
> ...[@.r...?...?Y
>   20  5301 53fc 0050 edb9 4c44 8206 2bb7 5018
> S.S..P..LD..+.P.
>   30  40b0 0109 0000 2f64 6566 6175 6c74 2e69
> @...../default.i
>   40  6461 3f4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e
> da?NNNNNNNNNNNNN
>   50  4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e 4e4e
> NNNNNNNNNNNNNNNN
>   60  4e4e 4e4e                                 NNNN
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/

--
Martin Roesch
roeschat_private
http://www.sourcefire.com - http://www.snort.org


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: corecode: "Re: Full analysis of the .ida "Code Red" worm."
Previous message: Eric Chien: "RE: "Code Red" worm questions"
Next in thread: Dr SuSE: "Re: .ida Intrusion Attempt"
Reply: Joe Smith: "Re: .ida Intrusion Attempt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:13:41 PDT