Snort mailing list archives
Re: CodeRedII again?
From: Skip Carter <skip () taygeta com>
Date: Wed, 22 Aug 2001 09:13:45 -0700
Had an warez "attack" on our web/ftp server last two days (thinking of writing some rules for detecting it, can be interesting?), and noticed quite some Code Red alerts in the logs, the thing I reacted on was that it contained the string "CodeRedII"... Anyone knows about this variant? btw. does anyone knows if its possible to add more then one "detection-string" to a rule?
I wouldn't put too much energy in looking for the 'CodeRedII' string, yesterday we started seeing a variation where that string is replaced with '_________' but is otherwise identical. -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 UUCP: ...!uunet!taygeta!skip Monterey, CA. 93940 WWW: http://www.taygeta.com/skip.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- CodeRedII again? Pontus Joakimsson (Aug 22)
- Re: CodeRedII again? Ryan Russell (Aug 22)
- Re: CodeRedII again? Skip Carter (Aug 22)