[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    'Double' hits with CodeRedII
From:       Sven Carstens <s.carstens () gmx ! de>
Date:       2001-08-06 10:30:35
[Download RAW message or body]

Hi all,

the snort rule for the new one is working quite good here.
In the normal case that is!
I found a couple of 'duplicate' hits with the standard .ida?
alert and the additional CodeRedII alert.
Those alerts show that a proxy was handling these requests.
It seems to truncate the byte stream after the http-header
and starts a new packet for the http-body. This way the
.ida? rule will match on the first packet and the CodeRedII
rule will match on the second one.

Anyway the rules for the original CRv1 adn CRv2 are giving
me always double positives here. The first alert has a mangled
packet content (first 4 bytes missing) and sometimes even the
rest of the packet can contain arbitrary data. The worst is that
I get sometimes single alerts and these can be matched to
regular web traffic that bears no resembleance to the worm
in any way. (Fyodor[Snort] is contacted)

CU Sven


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

[prev in list] [next in list] [prev in thread] [next in thread]