Here's a copy of CodeRed, as captured by my elite honeypot: nc -l -p 80 > c:\gotcha It's in a password protected .zip file, password is "worm" without the quotes. The zip file is only about 2K, so it shouldn't cause undue stress on anyone's mail server or client. There is a rule available for Snort: http://www.whitehats.com/info/IDS552 BlackICE defender spotted this one as "Suspicious URL": 39, 2001-07-19 20:05:28, 2002500, Suspicious URL, 203.138.114.17, st0017.nas911.sapporo.nttpc.ne.jp, x.x.x.x, , , 1, And I'm not aware of other IDS' that catch this. (Though I'd like to be corrected if that's not the case.) Ryan
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:27:54 PDT