[Dshield] How Do You Detect Code Red Host Scans
johnh at aproposretail.com
Sat Aug 4 17:55:14 GMT 2001
On Thu, 2 Aug 2001, Tim Dwayne Southard wrote:
> My IDS (Cisco Secure) is not detecting the host scans from infected
> machines. I can see the default.ida?NNN stuff but I think that is the
> second stage (infection). I need to see the port 80 scans regardless
> of whether they are scanning MS boxes. Any assistance will be repaid
> with good Karma.
There actually *isn't* a scanning phase from what I understand. The worm
picks an IP address and sends the exploit to port 80, and then moves on to
the next address. That's why Cicso routers etc. are being nuked by it.
Internal Systems Administrator
Apropos Retail Management Systems, Inc.
<johnh at aproposretail.com>
More information about the list