Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

CodeRedII variant - smaller size now?

From: "Deterding, Brent D" <bddete () solutia com>
Date: Sun, 5 Aug 2001 23:42:48 -0500
I'm using snort 1.8 w/ this additional rule:

alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+;
content: "|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24
ff55d866 0bc00f95|"; depth:624;)

I'm getting hit from ONE host in the following pattern: 5 times in the
past 3 hours

I am getting with my .ida rule:

1436 data bytes w/ ACK only
<identical packet>
1343 data bytes w/ ACK-PSH
<identical packet>

I am getting with my cmd rule:

1436 data bytes w/ ACK only
<identical packet>
1315 data bytes w/ ACK-PSH
<identical packet>

I am getting with the new CodeRedII rule:

536 data bytes w/ ACK only
<identical packet>
373 data bytes w/ ACK-PSH
<identical packet>

Why would ONE host only be hitting me with 3 different signatures? I've
had 1400+ hits on both .ida and cmd rules; but only 20 on the CodeRedII
rule. What is this smaller signature up to?

Any ideas?

-- Brent Deterding

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: