Snort mailing list archives

RE: Problem with Code Red signature

From: Graeme Fowler <graeme.fowler () hosteurope com>
Date: Sun, 5 Aug 2001 22:45:32 +0100

Jyri wrote:

Sometimes I get *only* the "WEB-IIS ISAPI .ida attempt";
the Code Red signature doesn't seem to 'fire' at all.


Well, you could of course be seeing real formulated queries to the ISAPI
Indexing Service! The original buffer overflow for the ISAPI exploit hit
servers which left the default IIS indexing service enabled. It's easy enogh
to switch off, but it's also very widely used to do seraches of local sites
on that server. That is, after all, what the original service was intended
to do.

Try to remember that we don't trigger FTP or Telnet rules every time
"/bin/sh" is seen!

Graeme

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Problem with Code Red signature Jyri Hovila (Aug 05)
- RE: Problem with Code Red signature John Berkers (Aug 06)
  - Evasive RST? George D. Nincehelser (Aug 06)
    - Re: Evasive RST? Robert van der Meulen (Aug 06)
- <Possible follow-ups>
- RE: Problem with Code Red signature Graeme Fowler (Aug 05)
  - RE: Problem with Code Red signature Jyri Hovila (Aug 05)