Security Incidents: Snort Rules

From: Jim Forster <jforster_at_rapidnet.com>
Date: Wed, 1 Aug 2001 09:18:56 -0600

Not sure if this will be of use to anyone on the list, but figured now is a
good time to post 'em. :)

The following rules work with Snort 1.7+

This one being the most generic to catch .ida overflows-
alert tcp any any -> any 80 (content: ".ida?"; dsize: >239; msg: "Generic
ida ISAPI Overflow"; flags: A+; nocase;)

These are more specific in their detection-
alert tcp any any -> 198.137.240.91 80 (msg:"Possible CodeRed Infection -
Whitehouse connection";)
alert tcp any any -> any 80 (msg: "CodeRed Defacement Detected"; flags: A+;
content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64;)
alert tcp any any -> any 80 (msg: "CodeRed Overflow Detected"; dsize: >239;
flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;)
alert tcp any any -> any 80 (msg: "Eeye Scanner for CodeRed"; dsize: >239;
flags: A+; content:"|2F782e69 64613f41 41414141|"; depth:64;)

I have compiled Snort 1.8 with FlexResponse, and am using these rules to
dump the packets as they hit.
alert tcp any any -> any 80 (msg: "RESET SENT - CodeRed Defacement"; flags:
A+; content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64;
resp:rst_snd;)
alert tcp any any -> any 80 (msg: "RESET SENT - CodeRed Overflow"; dsize:
>239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;
resp:rst_snd;)
alert tcp any any -> any 80 (msg: "RESET SENT - Eeye Scanner"; dsize: >239;
flags: A+; content:"|2F782e69 64613f41 41414141|"; depth:64; resp:rst_snd;)

Jim Forster
Network Administrator
RapidNet, A Golden West Company
--------------------------------------------------------
http://www.snort.org

application/x-pkcs7-signature attachment: smime_p7s

Received on Aug 01 2001