[Snort-users] LaBrea escalates event volume

Bill McCarty bmccarty at ...5196...
Wed Mar 27 22:39:02 EST 2002

Hi Chris,

I spent time examining packet traces and determined that the mystery 
packets are, in fact, CodeRed. The strings such as "GET /dddddd" are the 
result of LaBrea forcing the worm to repeatedly resend the first character 
of the intended URI. This artifact prevents the NIDS -- and prevented me, 
for a time -- from recognizing the traffic as CodeRed.

I believe that the strings are CodeRed, because they consist of exactly the 
same characters as the initial character of the various URIs used by 
CodeRed. I sweep under the carpet the fact that "M" doesn't appear in the 
CodeRed samples I've seen, figuring that's a minor variation when a half 
dozen or more other letters match up just right and have roughly the proper 

Another indicator is the preference for the host with IP address x.x.x.99, 
which seems to me to be a result of CodeRed's imperfect random number 

The high volume of alerts that prompted my original posting was found to be 
due to NIDS rules that triggered on every packet, rather than only the SYN 
packets. LaBrea encourages a tarpitted host by sending it a packet once in 
a while, to keep the host interested. This was yielding lots of unnecessary 
alerts. Initially, they were so many that my log reports wouldn't run! This 
made it harder to figure out what was going on. Eventually, I did figure it 
out and revised the relevant rules to trigger only on SYN packets. Shortly 
thereafter, I received a helpful message from LaBrea's author, who'd 
astutely recognized from afar the cause of my problem.

Now, everything's working great. I really enjoy imagining those frustrated 
worms and would-be hackers <grin>. Today, I saw a manual attack from the 
same host that launched a CodeRed earlier in the day. Talk about double fun!

So, shorten my original opening to merely "I don't think." Chris gets the 


--On Monday, March 18, 2002 6:28 PM -0800 Bill McCarty <bmccarty at ...5196...> 

> I don't think that the port 80 stuff is CodeRed or similar. Here's why.
> When I turn off my custom rules, I don't get all that many alerts.
> However, I do get an occasional CodeRed. I conclude that, if the packets
> were CodeRed, I'd continue getting a high volume of alerts when I turn
> off my custom rules. But, the volume goes down by a order of magnitude.
> So, I figure they're not CodeRed. Does that make sense?
> Looking at packet logs, I see stuff like "GET /dddddddddddddddddddddddd".
> I take these for intended buffer overflows. But, they generally seem way
> too short to do the job. Mind you, I have little experience with IIS and
> don't currently run any IIS boxes. So, perhaps I'm overstating its
> resistance to such apparently puny requests.
> But, even if I'm wrong and it is CodeRed or similar traffic, aren't I
> seeing too many of them? BTW, they're not coming from my network
> neighborhood. A goodly number come from Europe or Asia/Pacific. Many of
> the IP addresses are not resolvable by DNS.

Bill McCarty

More information about the Snort-users mailing list