For a long time I havn't seen codered since we've been using content-screening at the router for blocking the attacks, but suddenly they are showing up again on my IDS. So I was wondering how it is that now they are getting through the content-screening. After waiting for a capture of an attack session (I didn't have to wait long) it seems that the familiar "GET /default.ida*" is now being delievered with the "GET " in a separate packet which appears designed to defeat the web content-screening features of routers and packet shapers. It's been a while, but I don't recall it being split up like that before - and I still get some with the "GET" in the same packet so I'm led to believe there's a new code red variant out there. Can anyone else verify that this is new behaviour? -- Chris Russel | CNS Information Security russelat_private | York University, Toronto, Canada ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 09:46:23 PST