Security Incidents mailing list archives
snort signature for new CodeRed varient
From: J Moll <jmoll-lists () my-mbox com>
Date: Sat, 4 Aug 2001 23:21:11 -0700
All: I'm using this Snort signature to distinguish between the original and recent varient of CodeRed. I'm sure it can be optimized -- grabbed a bit of the binary around the text "CodeRedII" in the packet to cut down on false alarms.. putting it out so folks can log the differences. alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; flags: A+; content: "|46309a02 0000e80a 00000043 6f646552 65644949 008b1c24 ff55d866 0bc00f95|"; depth:624;) Best Regards, Joe Moll -- Joseph L. Moll, CISSP -- jmoll () autoproxy com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- snort signature for new CodeRed varient J Moll (Aug 04)
- Re: snort signature for new CodeRed varient David Brown (Aug 05)
- Re: snort signature for new CodeRed varient Joe Moll (Aug 05)
- Re: snort signature for new CodeRed varient David Brown (Aug 05)