[Snort-sigs] Signature to detect Code Red Worm Installation (Index Server expl oit) attempts

Nelson, James (CC-MIS Plans and Prog) James.Nelson at ...74...
Thu Aug 16 18:17:38 EDT 2001


List subscribers,
I did not see a contrib area on the site.  I started by downloaded the
current rules.  I opened the webIIS rules file

# $Id: web-iis.rules,v 1.17 2001/08/07 02:18:44 roesch Exp $
#--------------
# WEB-IIS RULES
#--------------

I opened an apache web server access log and copied a Code Red C worm
attempt, then used it plus the other rules to build following line to the
bottom:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg: "WEB-IIS CodeRed C
Worm Attempt"; flags: A+;
uricontent:"/default.idaXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000
%u00=a"; nocase;reference:cert,ca-2001-19; classtype: attempted-admin; sid:
9259; rev: 1;)

This rule is a horrible idea to install on anything facing the internet
right now, but if it works it should have value for anyone who wants to be
sure they don't have code red activity occuring on their private network.  I
have not had a chance to test it, so let me know if it works.

I did not know what to put for the SID so I gave the rule a number that is
not in use by anything else in the rule download.  What is the right thing
to do?

Is there a better way (more efficient) method of composing a signature to
detect active code red worms trying to hit your network?  Comments please!

James Nelson 
Security Technologist 
Information Safety and Security 
Corporate IT, ConAgra Foods Inc.
james.nelson at ...74... 




More information about the Snort-sigs mailing list