Joe,
Just tried the Snort sig (1.7) and it did'nt pick up the latest CodeRedII
scan ?Snort reported it as IDS552 and the packet dump was a CodeRedII
packet.
Here is the snort rule agn:
alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content:
"|46309a02 0000e80a 0000
0043 6f646552 65644949 008b1c24 ff55d866 0bc00f95|"; depth:624;)

Any ideas what I've done wrong ??

Rgds,

Dave

----- Original Message -----
From: "J Moll" <jmoll-listsmy-mbox.com>
To: <incidentssecurityfocus.com>
Sent: Sunday, August 05, 2001 4:21 PM
Subject: snort signature for new CodeRed varient

> All:
>
> I'm using this Snort signature to distinguish between the original and
recent
> varient of CodeRed. I'm sure it can be optimized -- grabbed a bit of the
> binary around the text "CodeRedII" in the packet to cut down on false
> alarms.. putting it out so folks can log the differences.
>
>
> alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+;
content:
> "|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24
> ff55d866 0bc00f95|"; depth:624;)
>
>
> Best Regards,
> Joe Moll
>
> --
> Joseph L. Moll, CISSP -- jmollautoproxy.com
>
> --------------------------------------------------------------------------

--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]