Hi all, the snort rule for the new one is working quite good here. In the normal case that is! I found a couple of 'duplicate' hits with the standard .ida? alert and the additional CodeRedII alert. Those alerts show that a proxy was handling these requests. It seems to truncate the byte stream after the http-header and starts a new packet for the http-body. This way the .ida? rule will match on the first packet and the CodeRedII rule will match on the second one. Anyway the rules for the original CRv1 adn CRv2 are giving me always double positives here. The first alert has a mangled packet content (first 4 bytes missing) and sometimes even the rest of the packet can contain arbitrary data. The worst is that I get sometimes single alerts and these can be matched to regular web traffic that bears no resembleance to the worm in any way. (Fyodor[Snort] is contacted) CU Sven ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 09:26:58 PDT