Snort mailing list archives

CodeRed Observations.

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Wed, 12 Mar 2003 12:03:55 -0500

Hello,

I have been watching this recent spike in CodeRed activity and one thing I
am noticing
is the lack of TCP session establishment. I am seeing common get strings
like this showing
up at my firewalls without ever establishing a TCP three way handshake. I
have seen several
hundred packets with in the last two days similar to this at my firewalls.

47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61  GET /default.ida
3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  ?XXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
Snip------------------------------------------------------------------------
----------------------------------------------------

I find it awfully strange that there is no handshake (not even a single SYN
to try and establish
a session) but these packets show up anyway. I also am not seeing an
increase of port 80
scans in my firewall logs or with any of my IDS sensors. Is anybody else out
there seeing the 
same things we are?

Thanks!

vjl

V.Jay LaRosa                           EMC Corporation
Information Security                  4400 Computer Dr.
(508)898-7433 office                  Westboro, MA 01580
(508)353-1348 cell                     www.emc.com
888-799-9750 pager                   larosa_vjay () emc com





-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

CodeRed Observations. larosa, vjay (Mar 12)
- <Possible follow-ups>
- RE: CodeRed Observations. John York (Mar 12)
- RE: CodeRed Observations. larosa, vjay (Mar 12)
- RE: CodeRed Observations. John York (Mar 13)