Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CodeRed Observations.

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Wed, 12 Mar 2003 16:13:09 -0500
But are you seeing the originating source of the attack 
establishing a TCP session (Three way handshake) with
your webservers? I'm not. It is almost like a stick or 
snort attack with codered packets.

vjl

-----Original Message-----
From: John York [mailto:YorkJ () brcc edu]
Sent: Wednesday, March 12, 2003 3:13 PM
To: larosa, vjay
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] CodeRed Observations.


The main difference I'm seeing is that the new CodeRed's send just a few
attempts to my web servers (cmd.exe, ida, etc) instead of pounding them
with a hundred or so like they did before.


John York
Network Engineer
Blue Ridge Community College
P.O. Box 80/One College Lane
Weyers Cave, VA 24486
540.453.2255


-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-
admin () lists sourceforge net] On Behalf Of larosa, vjay
Sent: Wednesday, March 12, 2003 12:04 PM
To: 'intrusions () incidents org'
Cc: 'snort-users () lists sourceforge net'; 'focus-ids () securityfocus com'
Subject: [Snort-users] CodeRed Observations.

Hello,

I have been watching this recent spike in CodeRed activity and one

thing I

am noticing
is the lack of TCP session establishment. I am seeing common get

strings

like this showing
up at my firewalls without ever establishing a TCP three way

handshake. I

have seen several
hundred packets with in the last two days similar to this at my

firewalls.


47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61  GET /default.ida
3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  ?XXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX


Snip--------------------------------------------------------------------
--

--
----------------------------------------------------

I find it awfully strange that there is no handshake (not even a

single

SYN
to try and establish
a session) but these packets show up anyway. I also am not seeing an
increase of port 80
scans in my firewall logs or with any of my IDS sensors. Is anybody

else

out
there seeing the
same things we are?

Thanks!

vjl

V.Jay LaRosa                           EMC Corporation
Information Security                  4400 Computer Dr.
(508)898-7433 office                  Westboro, MA 01580
(508)353-1348 cell                     www.emc.com
888-799-9750 pager                   larosa_vjay () emc com






-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: