Snort mailing list archives

Re: Re: Definitive Code Red rule

From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 7 Aug 2001 09:08:22 -0700 (PDT)

On Tue, 7 Aug 2001, Ush wrote:

On Mon, Aug 06, 2001 at 01:38:09PM -0700, Migus, Adam wrote:

Ok so there's a thousand emails going around about the Code Red Worm.  So
what is the definitive rule/signature for snort 1.7 and 1.8 that people are
using?


I would very much like to know this too. I have the latest ruleset for 1.8
from whitehats, and not a mention of Code Red in there :(


Uhhhh, have you noticed:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida
access" ; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552;
classtype:attemp ted-recon; reference:cve,CAN-2000-0071; sid:1242; rev:1;)

and

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS cmd.exe access";
f lags: A+; content:"cmd.exe"; nocase; classtype:attempted-user; sid:1002;
rev:1;)

and the new

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg: "WEB-IIS CodeRed v2
root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase;
classtype: attempted-admin; sid: 1257; rev: 1;)

The first two have been there for a while....

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Definitive Code Red rule Migus, Adam (Aug 06)
- Re: Definitive Code Red rule Ush (Aug 07)
  - Re: Re: Definitive Code Red rule Brian Caswell (Aug 07)
    - RE: Re: Definitive Code Red rule Eric Johansen (Aug 07)
    - Re: Re: Definitive Code Red rule Brian Caswell (Aug 07)
  - Re: Re: Definitive Code Red rule Erek Adams (Aug 07)
- <Possible follow-ups>
- RE: Re: Definitive Code Red rule Steve Halligan (Aug 07)