[Snort-sigs] RE: Snort-sigs digest, Vol 1 #53 - 2 msgs

Nelson, James (CC-MIS Plans and Prog) James.Nelson at ...74...
Fri Aug 17 15:53:58 EDT 2001

One more change.  

It seems that the .ida access rule was matching instead of my code red worm
activity rule.  I moved the rule so it is above the .ida rule and now the
correct rule match occurs.  

Mine is immediately before the "WEB-IIS ISAPI .ida attempt" rule.
(Immediately after the .printers access rule)

-----Original Message-----
From: Nelson, James (CC-MIS Plans and Prog) 
Sent: Friday, August 17, 2001 2:15 PM
To: snort-sigs at lists.sourceforge.net
Subject: RE: Snort-sigs digest, Vol 1 #53 - 2 msgs

List subscribers:

I tested the rule.  It does not work as printed below.  

Remove the following and the rule will work like a charm:


Detection is not quite as fool-proof afterwards, but it seems to work quite
well.  Apparently something was confusing the engine.

The next step is to generate a kill signature so devices that suffer from
HTTP DOS vulnerabilities that are hit by code red no longer fall victim to
code red's scanning.

Comments please!


-----Original Message-----
From: snort-sigs-request at lists.sourceforge.net
[mailto:snort-sigs-request at lists.sourceforge.net]
Sent: Friday, August 17, 2001 2:09 PM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs digest, Vol 1 #53 - 2 msgs

Send Snort-sigs mailing list submissions to
	snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-sigs-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."

Today's Topics:

   1. Signature to detect Code Red Worm Installation (Index Server expl
       oit) attempts (Nelson, James (CC-MIS Plans and Prog))


Message: 1
From: "Nelson, James (CC-MIS Plans and Prog)"
	 <James.Nelson at ...74...>
To: "'Snort-sigs at lists.sourceforge.net'"
	 <Snort-sigs at lists.sourceforge.net>
Date: Thu, 16 Aug 2001 17:17:38 -0500
Subject: [Snort-sigs] Signature to detect Code Red Worm Installation (Index
Server expl
 oit) attempts

List subscribers,
I did not see a contrib area on the site.  I started by downloaded the
current rules.  I opened the webIIS rules file

# $Id: web-iis.rules,v 1.17 2001/08/07 02:18:44 roesch Exp $

I opened an apache web server access log and copied a Code Red C worm
attempt, then used it plus the other rules to build following line to the

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg: "WEB-IIS CodeRed C
Worm Attempt"; flags: A+;
%u00=a"; nocase;reference:cert,ca-2001-19; classtype: attempted-admin; sid:
9259; rev: 1;)

This rule is a horrible idea to install on anything facing the internet
right now, but if it works it should have value for anyone who wants to be
sure they don't have code red activity occuring on their private network.  I
have not had a chance to test it, so let me know if it works.

I did not know what to put for the SID so I gave the rule a number that is
not in use by anything else in the rule download.  What is the right thing
to do?

Is there a better way (more efficient) method of composing a signature to
detect active code red worms trying to hit your network?  Comments please!

James Nelson 
Security Technologist 
Information Safety and Security 
Corporate IT, ConAgra Foods Inc.
james.nelson at ...74... 


Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

End of Snort-sigs Digest

More information about the Snort-sigs mailing list