Russell Fulton wrote: > > On Thu, 19 Jul 2001 10:55:10 -0700 (PDT) Joe Smith > <shadowm4nat_private> wrote: > > > Interesting. I played around with the rules some, and > > figured out why snort wasn't finding it with the .ida > > rule. Since I'm only logging the first 100 bytes of > > data, the .ida rule misses it because part of the > > criteria of the rule is for data size to be greater > > than 239 bytes. > > > > Ahh... that explains that! my snort was seeing some '.ida?' probes > *but* none of the machines that got hit by the red code worm were > logged. > > The external addresses that were detected by snort appear to be probing > random addresses on port 80 -- just like the red worm does. > > Are there two versions out there? I've been working on that possibility for the last several hours. Data from Ken Eichman of cas.org at http://www.incidents.org/diary/diary.php show a sudden dramatic increase in the probe rate earlier this morning (US time). This could be consistent with a new version which is spreading much more effectively (possibly because it seeds its random number better). I'm trying to fit this data. If anyone has similar hourly data for the last day or two, or a freshly captured copy of the worm, I'd like to get hold of them. If there is a second version, it looks like it has happened since the Eeye disassembly. I note also that www.whitehouse.gov is still fully accessible, which seems inconsistent with Eeye's prediction as modified by Eric at Symantec (see www.snort.org). I speculate that if there is a second worm, it does something else. Hour # Code Red Worm Scans Scanning During the Hour ------ --------------------- ------------------------- 00 12699 2450 01 13059 2577 02 13272 2590 03 13056 2564 04 13283 2632 05 13229 2612 06 13554 2601 07 13517 2608 08 13746 2685 09 16819 3325 10 36589 7838 11 116083 26823 12 295348 68085 13 466542 103522 14 520973 113451 15 513513 115124 16 513894 90931 -- Stuart Staniford --- President --- Silicon Defense ** Silicon Defense: Technical Support for Snort ** mailto:stuartat_private http://www.silicondefense.com/ (707) 445-4355 x 16 (707) 445-4222 (FAX) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 23:49:34 PDT