RE: Code Red for RealSecure

Wed, 01 Aug 2001 12:49:34 -0700 


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

This was one of the few issues I questioned ISS.  They do not fully
explained the detection signature.  I also found out the hard way that the
user define event for CodeRed actually relied on another HTTP signature. So,
when I defined the user define event with a blank policy (nothing checked),
the CodeRed user defined event was not triggering.  After speaking to
several support Engineers, finally one of them told me the user defined
event is dependent on another signature...I still don't know which one, but
I loaded the default policy, leaving only the HTTP signatures checked.

Just for additional information, I actually turned on rskill and OPSEC to
SAM any detected event correlating to CodeRed.  I'm killing all suspicious
activites now, and I'll question them later... 8)

Vincent

-----Original Message-----
From: Dan Wangler [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 31, 2001 9:57 AM
To: [EMAIL PROTECTED]
Subject: Code Red for RealSecure



TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------

I received the X-Press alert for Code Red yesterday.  In it  was some good
information on what it is and does and how to detect it.

I do have a question concerning the RS signature.  In the text of the alert,
it says that Code Red sends the string "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a".

However, the signature string for RS is simply "default\.ida$".  I do not
understand how the two can relate since the RS string does not match that
part of the attack.  Can someone explain it for me?

Thanks


Dan Wangler, GIAC Certified Intrusion Analyst
IT Security Engineering and Development
IT Security, Texas Instruments, Inc.
6500 Chase Oaks Blvd., MS 8417
Plano, Texas, 75023, Phone: 972-927-8304
Email: [EMAIL PROTECTED]

Reply via email to