Security Incidents mailing list archives

Re: .ida Intrusion Attempt

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Fri, 20 Jul 2001 12:48:14 +1200 (NZST)


On Thu, 19 Jul 2001 10:55:10 -0700 (PDT) Joe Smith 
<shadowm4n () yahoo com> wrote:

Interesting.  I played around with the rules some, and
figured out why snort wasn't finding it with the .ida
rule.  Since I'm only logging the first 100 bytes of
data, the .ida rule misses it because part of the
criteria of the rule is for data size to be greater
than 239 bytes.


Ahh... that explains that!  my snort was seeing some '.ida?' probes 
*but* none of the machines that got hit by the red code worm were 
logged.

The external addresses that were detected by snort appear to be probing 
random addresses on port 80 -- just like the red worm does.

Are there two versions out there?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Re: .ida Intrusion Attempt, (continued)
- - - Re: .ida Intrusion Attempt Kheos ml (Jul 19)
- RE: .ida Intrusion Attempt Yom, Francis (Jul 19)
- Re: .ida Intrusion Attempt Dr SuSE (Jul 19)
  - Re: .ida Intrusion Attempt bugtraq (Jul 19)
- RE: .ida Intrusion Attempt Colby Rice (Jul 19)
  - RE: .ida Intrusion Attempt Tim Winders (Jul 19)
- .ida Intrusion Attempt Joe Smith (Jul 19)
  - Re: .ida Intrusion Attempt Martin Roesch (Jul 19)
    - Re: .ida Intrusion Attempt Joe Smith (Jul 19)
- RE: .ida Intrusion Attempt Ulrich Keil (Jul 19)
- Re: .ida Intrusion Attempt Russell Fulton (Jul 19)
  - Re: .ida Intrusion Attempt Stuart Staniford (Jul 19)
    - Re: .ida Intrusion Attempt E. Larry Lidz (Jul 20)
    - Re: .ida Intrusion Attempt Kyle R Maxwell (Jul 20)