Snort mailing list archives

RE: CodeRed question amended

From: "Kliarsky, Adam D." <adam.kliarsky () wamu net>
Date: Fri, 10 Dec 2004 12:39:38 -0800
Snort passes decoded packets thru the preprocessors before sending them
to the signature engine, do you see any (http_inspect) messages?

- adam




-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Foster,
Ken
Sent: Friday, December 10, 2004 12:26 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] CodeRed question amended


I'm having trouble getting Snort to detect the following packet that
clearly looks to me like a CodeRed:

21:30:30.064488 80.6.66.193.2437 > 46.5.23.118.80: P
760737404:760738832(1428) ack 2140171777 win 17520 (frag 25611:1448@0+)
0x0000   4500 05bc 640b 6000 6c06 b3f5 5006 42c1        E...d.`.l...P.B.
0x0010   2e05 1776 0985 0050 2d57 ee7c 7f90 6e01        ...v...P-W.|..n.
0x0020   5018 4470 e686 0000 4745 5420 2f64 6566        P.Dp....GET./def
0x0030   6175 6c74 2e69 6461 3f4e 4e4e 4e4e 4e4e        ault.ida?NNNNNNN

I am running on Windows XP (unfortunately) with Snort version:

Version 2.1.3-ODBC-MySQL-FlexRESP-WIN32 (Build 27) By Martin Roesch
(roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8 - 2.1 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)

I don't know why rule 1243 below from web-iis.rules is not triggering.
Does anyone have any idea why this isn't working? I am getting alerts
from other rules and no errors, so I'm not sure where else to look at
this point.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?";
nocase; reference:arachnids,552; reference:bugtraq,1065;
reference:cve,2000-0071; classtype:web-application-attack; sid:1243;
rev:11;)

Thanks.

Ken Foster


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide Read honest & candid
reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

CodeRed question amended Foster, Ken (Dec 10)
- <Possible follow-ups>
- RE: CodeRed question amended Kliarsky, Adam D. (Dec 10)