Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

snort signature for new CodeRed varient

From: J Moll <jmoll-lists () my-mbox com>
Date: Sat, 4 Aug 2001 23:21:11 -0700
All:

I'm using this Snort signature to distinguish between the original and recent 
varient of CodeRed.  I'm sure it can be optimized -- grabbed a bit of the 
binary around the text "CodeRedII" in the packet to cut down on false 
alarms.. putting it out so folks can log the differences.


alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content: 
"|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24
ff55d866 0bc00f95|"; depth:624;)


Best Regards,
Joe Moll

-- 
Joseph L. Moll, CISSP -- jmoll () autoproxy com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: