I'm using snort 1.8 w/ this additional rule: alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content: "|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24 ff55d866 0bc00f95|"; depth:624;) I'm getting hit from ONE host in the following pattern: 5 times in the past 3 hours I am getting with my .ida rule: 1436 data bytes w/ ACK only <identical packet> 1343 data bytes w/ ACK-PSH <identical packet> I am getting with my cmd rule: 1436 data bytes w/ ACK only <identical packet> 1315 data bytes w/ ACK-PSH <identical packet> I am getting with the new CodeRedII rule: 536 data bytes w/ ACK only <identical packet> 373 data bytes w/ ACK-PSH <identical packet> Why would ONE host only be hitting me with 3 different signatures? I've had 1400+ hits on both .ida and cmd rules; but only 20 on the CodeRedII rule. What is this smaller signature up to? Any ideas? -- Brent Deterding ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 21:45:06 PDT