Jim's rules should catch most, if not all, of the crap that the worm will throw at you. Just to be safe, however, I added another rule: alert tcp any any -> $HTTP_SERVERS 80 (msg:"CodeRed/Index Server - Generic"; content:".ida?";) This is pretty much guaranteed to catch any future variant of this sorry little worm. Of course, you only want to do this if you have *no* use for these application mappings. >I you use the SNORT Rules Jim Forester posted a bit ago, it >_should_ get all >variations, yes? >alert tcp any any -> any 80 (msg: "CodeRed Defacement >Detected"; flags: A+; >content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64;) >alert tcp any any -> any 80 (msg: "CodeRed Overflow Detected"; >dsize: >239; >flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 14:55:53 PDT