CodeRed question amended

["Foster, Ken" <KFoster () federatedinv com>]

I'm having trouble getting Snort to detect the following packet that
clearly looks to me like a CodeRed:

21:30:30.064488 80.6.66.193.2437 > 46.5.23.118.80: P
760737404:760738832(1428) ack 2140171777 win 17520 (frag 25611:1448@0+)
0x0000   4500 05bc 640b 6000 6c06 b3f5 5006 42c1        E...d.`.l...P.B.
0x0010   2e05 1776 0985 0050 2d57 ee7c 7f90 6e01        ...v...P-W.|..n.
0x0020   5018 4470 e686 0000 4745 5420 2f64 6566        P.Dp....GET./def
0x0030   6175 6c74 2e69 6461 3f4e 4e4e 4e4e 4e4e        ault.ida?NNNNNNN

I am running on Windows XP (unfortunately) with Snort version:

Version 2.1.3-ODBC-MySQL-FlexRESP-WIN32 (Build 27)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net,
www.datanerds.net/~mike)
1.8 - 2.1 WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)

I don't know why rule 1243 below from web-iis.rules is not triggering.
Does anyone have any idea why this isn't working? I am getting alerts
from other rules and no errors, so I'm not sure where else to look at
this point.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?";
nocase; reference:arachnids,552; reference:bugtraq,1065;
reference:cve,2000-0071; classtype:web-application-attack; sid:1243;
rev:11;)

Thanks.

Ken Foster


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users