[Snort-sigs] Signature to detect Code Red Worm Installation (Index Server expl oit) attempts
Nelson, James (CC-MIS Plans and Prog)
James.Nelson at ...74...
Thu Aug 16 18:17:38 EDT 2001
I did not see a contrib area on the site. I started by downloaded the
current rules. I opened the webIIS rules file
# $Id: web-iis.rules,v 1.17 2001/08/07 02:18:44 roesch Exp $
# WEB-IIS RULES
I opened an apache web server access log and copied a Code Red C worm
attempt, then used it plus the other rules to build following line to the
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg: "WEB-IIS CodeRed C
Worm Attempt"; flags: A+;
%u00=a"; nocase;reference:cert,ca-2001-19; classtype: attempted-admin; sid:
9259; rev: 1;)
This rule is a horrible idea to install on anything facing the internet
right now, but if it works it should have value for anyone who wants to be
sure they don't have code red activity occuring on their private network. I
have not had a chance to test it, so let me know if it works.
I did not know what to put for the SID so I gave the rule a number that is
not in use by anything else in the rule download. What is the right thing
Is there a better way (more efficient) method of composing a signature to
detect active code red worms trying to hit your network? Comments please!
Information Safety and Security
Corporate IT, ConAgra Foods Inc.
james.nelson at ...74...
More information about the Snort-sigs