[Snort-sigs] RE: Snort-sigs digest, Vol 1 #53 - 2 msgs
Nelson, James (CC-MIS Plans and Prog)
James.Nelson at ...74...
Fri Aug 17 15:14:49 EDT 2001
I tested the rule. It does not work as printed below.
Remove the following and the rule will work like a charm:
Detection is not quite as fool-proof afterwards, but it seems to work quite
well. Apparently something was confusing the engine.
The next step is to generate a kill signature so devices that suffer from
HTTP DOS vulnerabilities that are hit by code red no longer fall victim to
code red's scanning.
From: snort-sigs-request at lists.sourceforge.net
[mailto:snort-sigs-request at lists.sourceforge.net]
Sent: Friday, August 17, 2001 2:09 PM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs digest, Vol 1 #53 - 2 msgs
Send Snort-sigs mailing list submissions to
snort-sigs at lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
snort-sigs-request at lists.sourceforge.net
You can reach the person managing the list at
snort-sigs-admin at lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."
1. Signature to detect Code Red Worm Installation (Index Server expl
oit) attempts (Nelson, James (CC-MIS Plans and Prog))
From: "Nelson, James (CC-MIS Plans and Prog)"
<James.Nelson at ...74...>
To: "'Snort-sigs at lists.sourceforge.net'"
<Snort-sigs at lists.sourceforge.net>
Date: Thu, 16 Aug 2001 17:17:38 -0500
Subject: [Snort-sigs] Signature to detect Code Red Worm Installation (Index
I did not see a contrib area on the site. I started by downloaded the
current rules. I opened the webIIS rules file
# $Id: web-iis.rules,v 1.17 2001/08/07 02:18:44 roesch Exp $
# WEB-IIS RULES
I opened an apache web server access log and copied a Code Red C worm
attempt, then used it plus the other rules to build following line to the
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg: "WEB-IIS CodeRed C
Worm Attempt"; flags: A+;
%u00=a"; nocase;reference:cert,ca-2001-19; classtype: attempted-admin; sid:
9259; rev: 1;)
This rule is a horrible idea to install on anything facing the internet
right now, but if it works it should have value for anyone who wants to be
sure they don't have code red activity occuring on their private network. I
have not had a chance to test it, so let me know if it works.
I did not know what to put for the SID so I gave the rule a number that is
not in use by anything else in the rule download. What is the right thing
Is there a better way (more efficient) method of composing a signature to
detect active code red worms trying to hit your network? Comments please!
Information Safety and Security
Corporate IT, ConAgra Foods Inc.
james.nelson at ...74...
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
End of Snort-sigs Digest
More information about the Snort-sigs