> I have seen no checks for root.exe so far. But Nessus already has a > codered_x.nasl, congrats to this speed! > > # special root.exe from CR2 > alert tcp any any -> any 80 (msg: "CodeRedII root.exe"; flags: A+; content:"root.exe"; depth:624; classtype:attempted-admin;) FYI - if you're using the syslog output of snort, and logging to a separate box for redundancy, that'll cause an infinite loop (msg contains content field). I recommend the following: alert tcp any any -> any 80 (msg: "CodeRedII root exe"; flags: A+; content:"root.exe"; depth:624; classtype:attempted-admin;) Cheers! -- Adam Lambert Chief Technical Officer ManISec, Inc. - "Managed Internet Security Services" http://www.manisec.com mailto:alambertat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 17:10:33 PDT