|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Colby Rice (crice
180096hotel.com)Date: Thu Aug 02 2001 - 09:06:29 CDT
Yea, its the dsize flag that causes it.
CR
-----Original Message-----
From: Owen Creger [mailto:OCregerCreativeSolutions.com]
Sent: Wednesday, August 01, 2001 1:29 PM
To: 'incidentssecurityfocus.com'; 'focus-idssecurityfocus.com'
Subject: Code Red v2 ?
Snort has been logging numerous web-cgi_http-cgi-pipe attacks.
When I look at the captured packets, they are the ida overflow from Code
Red
Could this be Code Red v2?
The original signature is:
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS552/web-iis_IIS ISAPI
Overflow ida"; dsize: >239; flags: A+; uricontent: ".ida?"; classtype:
system-or-info-attempt; reference: arachnids,552;)
Is it possible that the dsize is causing the problem?
Owen C. Creger
Information Systems Security
Creative Solutions Inc.
7322 Newman Blvd.
Dexter, MI 48130
ph: 734-426-5860 ex. 3787
cell: 734-223-6270
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]