Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Code Red v2 ?

From: Owen Creger <OCreger () CreativeSolutions com>
Date: Wed, 1 Aug 2001 16:29:09 -0400 
Snort has been logging numerous web-cgi_http-cgi-pipe attacks.
When I look at the captured packets, they are the ida overflow from Code Red
Could this be Code Red v2?  
The original signature is: 
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg: "IDS552/web-iis_IIS ISAPI
Overflow ida"; dsize: >239; flags: A+; uricontent: ".ida?"; classtype:
system-or-info-attempt; reference: arachnids,552;)
Is it possible that the dsize is causing the problem?

Owen C. Creger
Information Systems Security
Creative Solutions Inc.
7322 Newman Blvd.
Dexter, MI  48130
ph: 734-426-5860 ex. 3787
cell: 734-223-6270


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: