|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: McCammon, Keith (Keith.McCammon
eadvancemed.com)Date: Wed Aug 01 2001 - 16:37:16 CDT
Jim's rules should catch most, if not all, of the crap that the worm will
throw at you. Just to be safe, however, I added another rule:
alert tcp any any -> $HTTP_SERVERS 80 (msg:"CodeRed/Index Server - Generic";
content:".ida?";)
This is pretty much guaranteed to catch any future variant of this sorry
little worm. Of course, you only want to do this if you have *no* use for
these application mappings.
>I you use the SNORT Rules Jim Forester posted a bit ago, it
>_should_ get all
>variations, yes?
>alert tcp any any -> any 80 (msg: "CodeRed Defacement
>Detected"; flags: A+;
>content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64;)
>alert tcp any any -> any 80 (msg: "CodeRed Overflow Detected";
>dsize: >239;
>flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]