Not sure if this will be of use to anyone on the list, but figured now is a good time to post 'em. :) The following rules work with Snort 1.7+ This one being the most generic to catch .ida overflows- alert tcp any any -> any 80 (content: ".ida?"; dsize: >239; msg: "Generic ida ISAPI Overflow"; flags: A+; nocase;) These are more specific in their detection- alert tcp any any -> 198.137.240.91 80 (msg:"Possible CodeRed Infection - Whitehouse connection";) alert tcp any any -> any 80 (msg: "CodeRed Defacement Detected"; flags: A+; content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64;) alert tcp any any -> any 80 (msg: "CodeRed Overflow Detected"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;) alert tcp any any -> any 80 (msg: "Eeye Scanner for CodeRed"; dsize: >239; flags: A+; content:"|2F782e69 64613f41 41414141|"; depth:64;) I have compiled Snort 1.8 with FlexResponse, and am using these rules to dump the packets as they hit. alert tcp any any -> any 80 (msg: "RESET SENT - CodeRed Defacement"; flags: A+; content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64; resp:rst_snd;) alert tcp any any -> any 80 (msg: "RESET SENT - CodeRed Overflow"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64; resp:rst_snd;) alert tcp any any -> any 80 (msg: "RESET SENT - Eeye Scanner"; dsize: >239; flags: A+; content:"|2F782e69 64613f41 41414141|"; depth:64; resp:rst_snd;) Jim Forster Network Administrator RapidNet, A Golden West Company -------------------------------------------------------- http://www.snort.org
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 08:21:45 PDT