On Mon, 20 Aug 2001, Nuno Mendes wrote: > I was just checking how many CodeRed I and II attempts I had on my Linux > based Apache server, and figuring out what if a new version of the worm > encoded 'degault.ida' in hexadecimal? Or even the data that causes the > buffer overflow? Not that the word "default" is arbitrary. You can change it to whatever else you want. > > It seems a lot of tools are based on 'default.ida' string.... aren't they? > I've only looked closely at the Snort rule, which says (if I remember correctly) .ida? (or .idq?) anywhere in the request, and the request is > 259 characters. Now, if you do some games with the .ida part... Well, I believe Snort has a HTTP encoding decoder... don't know how effective it is. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 09:54:32 PDT