[Snort-users] Alerts question

Scott Zawalski scott.zawalski at ...5689...
Wed Jul 14 08:45:29 EDT 2004

If you are using the standard rule set then you should see some trips on 
the readme.eml content:

Rules  1284 and 1290. 

As far as a specific CodeRed sid only 1256 applies for CodeRed v2 rule 
and it looks for /root.exe uricontent


Randy Ramsdell wrote:

> I have been getting scanned daily by a host that is infected with 
> "code red". Obviously a web server is running on it and I went there 
> and found the typical script trying to push "readme.eml."
> So, shouldn't snort catch this?
> I just need to know if it should without getting into specifics of my 
> configuration.
> I read that snort should detect "code red" if you go the the sight, 
> but I am not sure if this is true.
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
> self defense, top technical experts, no vendor pitches, unmatched 
> networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list