Re: .ida Intrusion Attempt

From: Stuart Staniford (stuartat_private)
Date: Thu Jul 19 2001 - 20:48:04 PDT

  • Next message: Ivan: "RE: CodeRed"

    Russell Fulton wrote:
    > 
    > On Thu, 19 Jul 2001 10:55:10 -0700 (PDT) Joe Smith
    > <shadowm4nat_private> wrote:
    > 
    > > Interesting.  I played around with the rules some, and
    > > figured out why snort wasn't finding it with the .ida
    > > rule.  Since I'm only logging the first 100 bytes of
    > > data, the .ida rule misses it because part of the
    > > criteria of the rule is for data size to be greater
    > > than 239 bytes.
    > >
    > 
    > Ahh... that explains that!  my snort was seeing some '.ida?' probes
    > *but* none of the machines that got hit by the red code worm were
    > logged.
    > 
    > The external addresses that were detected by snort appear to be probing
    > random addresses on port 80 -- just like the red worm does.
    > 
    > Are there two versions out there?
    
    I've been working on that possibility for the last several hours.  Data from Ken
    Eichman of cas.org at
    
    http://www.incidents.org/diary/diary.php
    
    show a sudden dramatic increase in the probe rate earlier this morning (US
    time).  This could be consistent with a new version which is spreading much more
    effectively (possibly because it seeds its random number better).  I'm trying to
    fit this data.  If anyone has similar hourly data for the last day or two, or a
    freshly captured copy of the worm, I'd like to get hold of them.  If there is a
    second version, it looks like it has happened since the Eeye disassembly.
    
    I note also that www.whitehouse.gov is still fully accessible, which seems
    inconsistent with Eeye's prediction as modified by Eric at Symantec (see
    www.snort.org).  I speculate that if there is a second worm, it does something
    else.
    
    Hour    # Code Red Worm Scans     Scanning During the Hour
                        ------  ---------------------   -------------------------
                         00           12699                     2450
                         01           13059                     2577
                         02           13272                     2590
                         03           13056                     2564
                         04           13283                     2632
                         05           13229                     2612
                         06           13554                     2601
                         07           13517                     2608
                         08           13746                     2685
                         09           16819                     3325
                         10           36589                     7838
                         11          116083                    26823
                         12          295348                    68085
                         13          466542                   103522
                         14          520973                   113451
                         15          513513                   115124
                         16          513894                    90931 
    
    -- 
    Stuart Staniford     ---     President     ---     Silicon Defense
             ** Silicon Defense: Technical Support for Snort **
    mailto:stuartat_private  http://www.silicondefense.com/
    (707) 445-4355 x 16                           (707) 445-4222 (FAX)
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 23:49:34 PDT