Snort mailing list archives
RE: CodeRed from non-IIS machines???
From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Tue, 07 Aug 2001 12:57:17 -0700
What does the rule look like that is catching this behavior. It is likely the rule needs to be tuned or altered to reduce the potential number of false positives.
I've been learning Snort on the fly attempting to track down CodeRed-infected machines here at my university. Unfortunately, we have many partially-administered IIS servers on the network. Fortunately, that number is dropping as a result of CodeRed and CodeRed II. I started seeing some very odd things since getting 1.8.1-beta6 up and running on Solaris8 / Ultra5 last night. What I'm seeing is several machines that are NOT Win2k boxes OR running IIS being the sources of CodeRed I-style overflows. All IP's seem to be NT4.0 or 98 boxes, some of them locked-down lab workstation. The destination addresses are rather odd, as well, being rather popular surfing destinations, such as cgi.ebay.com, aolmail.aol.com, www.law8.hotmail.com, and our ISP's akamaitech cache, not random, off-the-wall hits and misses like I expected. I was able to get a peek at one of the machines this morning, and did not find anything unusual, although Explorer seemed rather willing to segfault rather frequently. Coming from a UNIX background, I wasn't exactly sure where to look for anything nasty, and I was also perplexed as this was a lab machine that are pretty neatly locked down (AFAIK). Has anyone else found anything similar?
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: CodeRed from non-IIS machines??? Kevin Brown (Aug 07)
- Re: CodeRed from non-IIS machines??? Tom Kyle (Aug 07)
- <Possible follow-ups>
- CodeRed from non-IIS machines??? Tom Kyle (Aug 07)
- RE: CodeRed from non-IIS machines??? Kris Quinby (Aug 07)