snort signature for new CodeRed varient
From: J Moll (jmoll-lists@my-mbox.com)Date: 08/05/01
- Previous message: Ryan Russell: "CodeRed II (fwd)"
- Next in thread: David Brown: "Re: snort signature for new CodeRed varient"
- Reply: David Brown: "Re: snort signature for new CodeRed varient"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: J Moll <jmoll-lists@my-mbox.com> To: incidents@securityfocus.com Subject: snort signature for new CodeRed varient Date: Sat, 4 Aug 2001 23:21:11 -0700 Message-Id: <01080423211101.01745@rogue.autoproxy.net>
All:
I'm using this Snort signature to distinguish between the original and recent
varient of CodeRed. I'm sure it can be optimized -- grabbed a bit of the
binary around the text "CodeRedII" in the packet to cut down on false
alarms.. putting it out so folks can log the differences.
alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content:
"|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24
ff55d866 0bc00f95|"; depth:624;)
Best Regards,
Joe Moll
-- Joseph L. Moll, CISSP -- jmoll@autoproxy.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Ryan Russell: "CodeRed II (fwd)"
- Next in thread: David Brown: "Re: snort signature for new CodeRed varient"
- Reply: David Brown: "Re: snort signature for new CodeRed varient"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
