Re: snort signature for new CodeRed varient

From: Joe Moll (jmollat_private)
Date: Sun Aug 05 2001 - 19:20:07 PDT

Next message: John Davidson: "CRv2 multiple scans from same source IP"

Previous message: David Brown: "Yet Another Worm ???"
In reply to: David Brown: "Re: snort signature for new CodeRed varient"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We figured this one out offline.. was an order issue in the ruleset.

Best Regards,
Joe Moll

On Sunday 05 August 2001 00:00, David Brown wrote:
> Joe,
> Just tried the Snort sig  (1.7) and it did'nt pick up the latest CodeRedII
> scan ?Snort reported it as IDS552 and the packet dump was a CodeRedII
> packet.
> Here is the snort rule agn:
> alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content:
> "|46309a02 0000e80a 0000
> 0043 6f646552 65644949 008b1c24 ff55d866 0bc00f95|"; depth:624;)
>
> Any ideas what I've done wrong ??
>
> Rgds,
>
> Dave
>
>
> ----- Original Message -----
> From: "J Moll" <jmoll-lists@my-mbox.com>
> To: <incidentsat_private>
> Sent: Sunday, August 05, 2001 4:21 PM
> Subject: snort signature for new CodeRed varient
>
> > All:
> >
> > I'm using this Snort signature to distinguish between the original and
>
> recent
>
> > varient of CodeRed.  I'm sure it can be optimized -- grabbed a bit of the
> > binary around the text "CodeRedII" in the packet to cut down on false
> > alarms.. putting it out so folks can log the differences.
> >
> >
> > alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+;
>
> content:
> > "|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24
> > ff55d866 0bc00f95|"; depth:624;)
> >
> >
> > Best Regards,
> > Joe Moll
> >
> > --
> > Joseph L. Moll, CISSP -- jmollat_private
> >
> > -------------------------------------------------------------------------
> >-
>
> --
>
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
>
> ---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: John Davidson: "CRv2 multiple scans from same source IP"
Previous message: David Brown: "Yet Another Worm ???"
In reply to: David Brown: "Re: snort signature for new CodeRed varient"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 19:44:43 PDT