[Snort-users] Code Red attacks

Gordon Ewasiuk gewasiuk at ...3392...
Mon Sep 17 04:04:05 EDT 2001


On Today, Peter Borner wrote:
>Does anyone have any suggestions as to how I can escalate this issue and
>get the owners of the offending machines to clean up their act?

Hi Peter,

There are a few tools that will slow down, redirect, or block code red
probes.  Not sure how effective they are...I was lazy and just filtered
incoming code red probes via a dirty little script that updates ACLs on my
Foundry switches.

Some links/tools:

>I wrote one too, but in awk.  With a shell script add-on.  It's running
>on FreeBSD 4.3 with the following added to apache's httpd.conf:
>        CustomLog "| /path/to/coderedalert" common
>
>http://www.it.ca/software/coderedalert - build the email
>http://www.it.ca/software/ipcontacts - grabs contact emails for the IP

>I got my copy from http://www.dasbistro.com/default_ida_info.html
>
> For Apache, try Apache::CodeRed... available from http://www.cpan.org

> To download CodeRed Scanner go to:
> http://www.eeye.com/html/Research/Tools/codered.html

>CCO official release on blocking code red w/ IOS NBAR -
>http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml

>There is a useful document at: http://www.incidents.org/diary/diary.php
>which offers an explanation of what CRII does and some useful ways on how
>we can stop it eg by filtering at transparent caches etc - worth a read.

Regards,

-Gordon

--------------------------------------------------
Gordon Ewasiuk, Certifed Sun Fanatic,  Winstar VHC
The REAL office number is here----->  703.893.4901
Tired of BSODs, My Computer, and Code Red?
http://www.sun.com/solaris/binaries/
-------------------------------------------------
  3:50am  up 1 day(s), 19:41,  1 user,  load average: 1.09, 1.15, 1.20






More information about the Snort-users mailing list