.ida Intrusion Attempt
r.fulton at auckland.ac.nz
Fri Jul 20 00:45:02 GMT 2001
On Thu, 19 Jul 2001 10:55:10 -0700 (PDT) Joe Smith
<shadowm4n at yahoo.com> wrote:
> Interesting. I played around with the rules some, and
> figured out why snort wasn't finding it with the .ida
> rule. Since I'm only logging the first 100 bytes of
> data, the .ida rule misses it because part of the
> criteria of the rule is for data size to be greater
> than 239 bytes.
Ahh... that explains that! my snort was seeing some '.ida?' probes
*but* none of the machines that got hit by the red code worm were
The external addresses that were detected by snort appear to be probing
random addresses on port 80 -- just like the red worm does.
Are there two versions out there?
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the unisog