Snort mailing list archives
CodeRed question amended
From: "Foster, Ken" <KFoster () federatedinv com>
Date: Fri, 10 Dec 2004 15:25:41 -0500
I'm having trouble getting Snort to detect the following packet that clearly looks to me like a CodeRed: 21:30:30.064488 80.6.66.193.2437 > 46.5.23.118.80: P 760737404:760738832(1428) ack 2140171777 win 17520 (frag 25611:1448@0+) 0x0000 4500 05bc 640b 6000 6c06 b3f5 5006 42c1 E...d.`.l...P.B. 0x0010 2e05 1776 0985 0050 2d57 ee7c 7f90 6e01 ...v...P-W.|..n. 0x0020 5018 4470 e686 0000 4745 5420 2f64 6566 P.Dp....GET./def 0x0030 6175 6c74 2e69 6461 3f4e 4e4e 4e4e 4e4e ault.ida?NNNNNNN I am running on Windows XP (unfortunately) with Snort version: Version 2.1.3-ODBC-MySQL-FlexRESP-WIN32 (Build 27) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8 - 2.1 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) I don't know why rule 1243 below from web-iis.rules is not triggering. Does anyone have any idea why this isn't working? I am getting alerts from other rules and no errors, so I'm not sure where else to look at this point. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:11;) Thanks. Ken Foster ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- CodeRed question amended Foster, Ken (Dec 10)
- <Possible follow-ups>
- RE: CodeRed question amended Kliarsky, Adam D. (Dec 10)