[Snort-users] LaBrea escalates event volume
bmccarty at ...5196...
Wed Mar 27 22:39:02 EST 2002
I spent time examining packet traces and determined that the mystery
packets are, in fact, CodeRed. The strings such as "GET /dddddd" are the
result of LaBrea forcing the worm to repeatedly resend the first character
of the intended URI. This artifact prevents the NIDS -- and prevented me,
for a time -- from recognizing the traffic as CodeRed.
I believe that the strings are CodeRed, because they consist of exactly the
same characters as the initial character of the various URIs used by
CodeRed. I sweep under the carpet the fact that "M" doesn't appear in the
CodeRed samples I've seen, figuring that's a minor variation when a half
dozen or more other letters match up just right and have roughly the proper
Another indicator is the preference for the host with IP address x.x.x.99,
which seems to me to be a result of CodeRed's imperfect random number
The high volume of alerts that prompted my original posting was found to be
due to NIDS rules that triggered on every packet, rather than only the SYN
packets. LaBrea encourages a tarpitted host by sending it a packet once in
a while, to keep the host interested. This was yielding lots of unnecessary
alerts. Initially, they were so many that my log reports wouldn't run! This
made it harder to figure out what was going on. Eventually, I did figure it
out and revised the relevant rules to trigger only on SYN packets. Shortly
thereafter, I received a helpful message from LaBrea's author, who'd
astutely recognized from afar the cause of my problem.
Now, everything's working great. I really enjoy imagining those frustrated
worms and would-be hackers <grin>. Today, I saw a manual attack from the
same host that launched a CodeRed earlier in the day. Talk about double fun!
So, shorten my original opening to merely "I don't think." Chris gets the
--On Monday, March 18, 2002 6:28 PM -0800 Bill McCarty <bmccarty at ...5196...>
> I don't think that the port 80 stuff is CodeRed or similar. Here's why.
> When I turn off my custom rules, I don't get all that many alerts.
> However, I do get an occasional CodeRed. I conclude that, if the packets
> were CodeRed, I'd continue getting a high volume of alerts when I turn
> off my custom rules. But, the volume goes down by a order of magnitude.
> So, I figure they're not CodeRed. Does that make sense?
> Looking at packet logs, I see stuff like "GET /dddddddddddddddddddddddd".
> I take these for intended buffer overflows. But, they generally seem way
> too short to do the job. Mind you, I have little experience with IIS and
> don't currently run any IIS boxes. So, perhaps I'm overstating its
> resistance to such apparently puny requests.
> But, even if I'm wrong and it is CodeRed or similar traffic, aren't I
> seeing too many of them? BTW, they're not coming from my network
> neighborhood. A goodly number come from Europe or Asia/Pacific. Many of
> the IP addresses are not resolvable by DNS.
More information about the Snort-users