Re: .ida Intrusion Attempt

From: Russell Fulton (r.fultonat_private)
Date: Thu Jul 19 2001 - 17:48:14 PDT

  • Next message: Sebastian Ip: "Re: .ida Intrusion Attempt"

    On Thu, 19 Jul 2001 10:55:10 -0700 (PDT) Joe Smith 
    <shadowm4nat_private> wrote:
    
    > Interesting.  I played around with the rules some, and
    > figured out why snort wasn't finding it with the .ida
    > rule.  Since I'm only logging the first 100 bytes of
    > data, the .ida rule misses it because part of the
    > criteria of the rule is for data size to be greater
    > than 239 bytes.
    > 
    
    Ahh... that explains that!  my snort was seeing some '.ida?' probes 
    *but* none of the machines that got hit by the red code worm were 
    logged.
    
    The external addresses that were detected by snort appear to be probing 
    random addresses on port 80 -- just like the red worm does.
    
    Are there two versions out there?
    
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 20:14:54 PDT