|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: J Moll (jmoll-lists
my-mbox.com)Date: Sun Aug 05 2001 - 01:21:11 CDT
All:
I'm using this Snort signature to distinguish between the original and recent
varient of CodeRed. I'm sure it can be optimized -- grabbed a bit of the
binary around the text "CodeRedII" in the packet to cut down on false
alarms.. putting it out so folks can log the differences.
alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content:
"|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24
ff55d866 0bc00f95|"; depth:624;)
Best Regards,
Joe Moll
-- Joseph L. Moll, CISSP -- jmoll---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]