Joe, Just tried the Snort sig (1.7) and it did'nt pick up the latest CodeRedII scan ?Snort reported it as IDS552 and the packet dump was a CodeRedII packet. Here is the snort rule agn: alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content: "|46309a02 0000e80a 0000 0043 6f646552 65644949 008b1c24 ff55d866 0bc00f95|"; depth:624;) Any ideas what I've done wrong ?? Rgds, Dave ----- Original Message ----- From: "J Moll" <jmoll-lists@my-mbox.com> To: <incidentsat_private> Sent: Sunday, August 05, 2001 4:21 PM Subject: snort signature for new CodeRed varient > All: > > I'm using this Snort signature to distinguish between the original and recent > varient of CodeRed. I'm sure it can be optimized -- grabbed a bit of the > binary around the text "CodeRedII" in the packet to cut down on false > alarms.. putting it out so folks can log the differences. > > > alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content: > "|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24 > ff55d866 0bc00f95|"; depth:624;) > > > Best Regards, > Joe Moll > > -- > Joseph L. Moll, CISSP -- jmollat_private > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 09:26:46 PDT