Re: CRv3?? [was RE: Code Red Rule?]

["Douglas R. Wilson" <dougw () capu net>]

This is the signature of the eEye tool to scan for Code Red vulnerabilities.
A lot of sysadmins are using it in preparation for this evenings next
"outbreak" to see if there are still vulnerable systems on their networks.

http://www.eeye.com/html/Research/Tools/codered.html

please note that it uses a different character for the overflow character,
and there is no payload to be delivered after the buffer overflow. The
scanner just checks the response that the server gives to see whether the
vulnerability exists or not.

doug

--

===========================================
Douglas R. Wilson | dougw () capu net
Systems Administrator
CapuNet, LLC - Corporate Internet Solutions
===========================================



----- Original Message -----
From: "Mike Baptiste" <baptiste () cc-concepts com>
To: <berjo () ozemail com au>; "John Berkers" <berjo () ozemail com au>
Cc: "Snort Users List (E-mail)" <snort-users () lists sourceforge net>
Sent: Tuesday, July 31, 2001 6:54 PM
Subject: CRv3?? [was RE: [Snort-users] Code Red Rule?]


> Removing the 'default' was a good idea.  I'm not sure if these are Code
Red v3
> or some other probe tool, but since 5PM today my web servers have been
probed
> about 10 times and the probe is NOT the same as CRv2:
>
> 136.176.193.[some#] - - [31/Jul/2001:16:57:45 -0400] "GET /x.ida?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X HTTP/1.1"
404
> 280 "-" "-"
>
> [somehost].bradley.edu - - [31/Jul/2001:17:09:40 -0400] "GET /x.ida?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X HTTP/1.1"
404
> 211 "-" "-"
>
> Each of my servers gets probed twice by the same infected host, about 2
minutes
> apart.
>
> Just thought I'd pass on the info - this may be something else entirely -
I
> tried searching for this signature and came up empty but the various
security
> sites are a bit slow tonight (no surprise) and the searches didn't always
work.
> We'll see how it goes!
>
> Mike
>
>
> Quoting John Berkers <berjo () ozemail com au>:
>
> > For Snort 1.7 I would suggest content:".ida?";nocase , for snort 1.8
> > uricontent:".ida?";nocase
> >
> > Removing the /default portion of the content makes the signature more
> > generic, since in theory the ida overflow could be done via index.ida as
> > well.  The ? reduces the number of false alerts as the ? is required to
> > produce the overflow.  Finally, the nocase removes any case sensitivity
> > the
> > rule would otherwise have, which Windows doesn't.  It might also be
> > worthwhile to add a dsize: >239; flags A+ as per both Snort and
> > Whitehats
> > rules to further reduce false positives.
> >
> > The rule already exists in web-iis.rules from snort CVS since 19 June,
> > and
> > also in Whitehats vision17.rules and vision18.rules from around the same
> > time.
> >
> > Lets hope all the preparation has paid off!
> >
> > Regards,
> >
> > John Berkers
> > berjo () ozemail com au
> >
> >
> > -----Original Message-----
> > From: snort-users-admin () lists sourceforge net
> > [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Richard
> > Parker
> > Sent: Tuesday, 31 July 2001 4:57
> > To: Snort-users () lists sourceforge net
> > Subject: [Snort-users] Code Red Rule?
> >
> >
> > Hi,
> >
> > I'm relatively new to snort, could someone comment on this rule for
> > catching Code Red?
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Code Red default.ida
> > attempt"; flags:PA; content:"GET /default.ida"; nocase;)
> >
> > Is that right?
> >
> > TIA
> >
> > Rich
> >
> > --
> > Richard Parker, Expressive Limited
> >
> > -> bash luser
> > With what? Your bare hands?
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users