.ida Intrusion Attempt

Russell Fulton r.fulton at auckland.ac.nz
Fri Jul 20 00:45:02 GMT 2001


On Thu, 19 Jul 2001 10:55:10 -0700 (PDT) Joe Smith 
<shadowm4n at yahoo.com> wrote:

> Interesting.  I played around with the rules some, and
> figured out why snort wasn't finding it with the .ida
> rule.  Since I'm only logging the first 100 bytes of
> data, the .ida rule misses it because part of the
> criteria of the rule is for data size to be greater
> than 239 bytes.
> 

Ahh... that explains that!  my snort was seeing some '.ida?' probes 
*but* none of the machines that got hit by the red code worm were 
logged.

The external addresses that were detected by snort appear to be probing 
random addresses on port 80 -- just like the red worm does.

Are there two versions out there?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand



More information about the unisog mailing list