De: "CERT-Intexxia" À: "CERT - INTEXXIA" Objet: CodeRed Snort Rules Date : mercredi 29 août 2001 22:43 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ TECHNICAL NOTE INTEXXIA(c) 23 08 2001 ________________________________________________________________________ TITLE : CodeRed Snort Rules CREDITS : Jean-Pierre Mennella / INTEXXIA ________________________________________________________________________ BACKGROUND ========== Facing the huge amount of CodeRed Trafic, we needed ,here at Intexxia, to quickly give statistical informations about all the CodeRed attacks received on the machines we monitor. In order to know which CodeRed variant was logged we've written Snort rules that identify every CodeRed variants. We have chosen the following CodeRed worms classification : - CodeRedI : the one with ' /default.ida?NNN ' - CodeRedII : the one with ' /default.ida?XXX ' - CodeRedII - New : the one with ' /default.ida?XXX ' and ' _________ ' As others have noticed, we had CodeRed logs that came from proxies without the '/default.ida?'. These entries are harmless. Even so we decided to still make rules to isolate these 'attacks' from the efficient ones. We have used the following terms : - CodeRedII - via proxy - Uneffective : * with ' XXXXXXXX%u9090%u6858 ' * and ' X-Forwarded ' - CodeRedII - New - via proxy - Uneffective * with ' XXXXXXXX%u9090%u6858 ' * and ' _________' * and ' X-Forwarded ' We also noticed in our logs real CodeRed attacks that came thru some proxies. If not looked more closely, these logs might lead to false conclusions, cause it's not the infected machine that appear leading the attack,the reallity could not match the logs, depending on your logging facility. Being able to detect such entry might help to find real infected hosts. This way you don't waste time trying to identify the origin of the attack if you don't have more logs to dig thru. We have used the following terms : - CodeRedII - via proxy : * same pattern as CodeRedII * and ' X-Forwarded ' - CodeRedII - New - via proxy : * same pattern as CodeRedII - NEW * and ' X-Forwarded ' ________________________________________________________________________ SCOPE - SNORT RULES =================== CodeRedII New via Proxy ======================= Snort 1.7 - --------- alert tcp any any -> any 80 (msg: "CodeRedII Overflow - via Proxy"; content: "|2F646566 61756C74 2E696461 3F585858|"; content: "X-Forwarded"; nocase;) Snort 1.8 - --------- alert tcp any any -> any 80 (msg: "RST SENT - CodeRedII Overflow - via Proxy"; content: "|2F646566 61756C74 2E696461 3F585858|"; content: "X-Forwarded"; nocase; resp:rst_snd;) - ------------------------------------------------------------------------ CodeRedII New - via Proxy - Uneffective ======================================= Snort 1.7 - --------- alert tcp any any -> any 80 (msg: "CodeRedII Overflow via Proxy - Uneffective"; content: "XXXXXXXX%u9090%u6858"; content: "X-Forwarded"; nocase;) Snort 1.8 - --------- alert tcp any any -> any 80 (msg: "RST SENT - CodeRedII Overflow via Proxy - Uneffective"; content: "XXXXXXXX%u9090%u6858"; content: "X-Forwarded"; nocase; resp:rst_snd;) - ------------------------------------------------------------------------ CodeRedII New ============= Snort 1.7 - --------- alert tcp any any -> any 80 (msg: "CodeRedII Overflow - NEW"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F585858|"; content: "|5F5F5F5F 5F5F5F5F|"; depth:610;) Snort 1.8 - --------- alert tcp any any -> any 80 (msg: "RST SENT - CodeRedII Overflow - NEW"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 585858|"; content:"|5F5F5F5F 5F5F5F5F|"; depth:610; resp:rst_snd;) - ------------------------------------------------------------------------ CodeRedII - via Proxy ===================== Snort 1.7 - --------- alert tcp any any -> any 80 (msg: "CodeRedII Overflow - via Proxy"; content: "|2F646566 61756C74 2E696461 3F585858|"; content: "X-Forwarded"; nocase;) Snort 1.8 - --------- alert tcp any any -> any 80 (msg: "RST SENT - CodeRed2 Overflow - via Proxy"; content: "|2F646566 61756C74 2E696461 3F585858|"; content: "X-Forwarded"; nocase; resp:rst_snd;) - ------------------------------------------------------------------------ CodeRedII - via Proxy - Uneffective ===================================== Snort 1.7 - --------- alert tcp any any -> any 80 (msg: "CodeRedII Overflow - via Proxy - Uneffective"; content: "XXXXXXXX%u9090%u6858"; content: "X-Forwarded"; nocase;) Snort 1.8 - --------- alert tcp any any -> any 80 (msg: "RST SENT - CodeRedII Overflow - via Proxy - Uneffective"; content: "XXXXXXXX%u9090%u6858"; content: "X-Forwarded"; nocase; resp:rst_snd;) - ------------------------------------------------------------------------ CodeRed II ========== Snort 1.7 - --------- alert tcp any any -> any 80 (msg: "CodeRedII Overflow"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F585858|"; depth:64;) Snort 1.8 - --------- alert tcp any any -> any 80 (msg: "RST SENT - CodeRedII Overflow"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F585858|"; depth:64; resp:rst_snd;) - ------------------------------------------------------------------------ CodeRedI - via Proxy ===================== Snort 1.7 - --------- alert tcp any any -> any 80 (msg: "CodeRedII Overflow - via Proxy"; content: "|2F646566 61756C74 2E696461 3F585858|"; content: "X-Forwarded"; nocase;) Snort 1.8 - --------- alert tcp any any -> any 80 (msg: "RST SENT - CodeRed2 Overflow - via Proxy"; content: "|2F646566 61756C74 2E696461 3F4E4E4E|"; content: "X-Forwarded"; nocase; resp:rst_snd;) - ------------------------------------------------------------------------ CodeRedI - via Proxy - Uneffective ===================================== Snort 1.7 - --------- alert tcp any any -> any 80 (msg: "CodeRedI Overflow - via Proxy - Uneffective"; content: "NNNNNNNN%u9090%u6858"; content: "X-Forwarded"; nocase;) Snort 1.8 - --------- alert tcp any any -> any 80 (msg: "CodeRedII Overflow - via Proxy - Uneffective"; content: "NNNNNNNN%u9090%u6858"; content: "X-Forwarded"; nocase; resp:rst_snd;) - ------------------------------------------------------------------------ CodeRedI ======== Snort 1.7 - --------- alert tcp any any -> any 80 (msg: "CodeRedI Overflow"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;) Snort 1.8 - --------- alert tcp any any -> any 80 (msg: "RST SENT - CodeRedI Overflow"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64; resp:rst_snd;) - ------------------------------------------------------------------------ ________________________________________________________________________ SCOPE - HOW TO ============== IMPORTANT NOTE : You should consider using these rules in the order given above, to have them working efficiently. You also may consider placing them in a specific .rules file that will be the first to be read. You just need to cut and paste the rules to your appropriate '.rules' file. If you use the rules as given you might need to add some '\' at the end of each line. Then reload your snort conf. We're using these rules with snort 1.8.1 and 'till now everything went fine. ________________________________________________________________________ BIBLIOGRAPHY ============ * Snort Users Manual Snort Release : 1.8.1 by Martin Roesch - www.snort.org * "CodeRed Snort Rules" by Jim Forster - Post on SecurityFocus Incidents Mailing List - www.securityfocus.com * "New CodeRed Variant - CodeRed.d" by Ryan Russell - Post on Securityfocus Incidents Mailling List - www.securityfocus.com ________________________________________________________________________ ACKNOLEDGEMENTS =============== Thanks to the Intexxia-Lab Team, for its material and support. ________________________________________________________________________ ABOUT INTEXXIA ============== Created in 1999, Intexxia is a French IT services company specializing in data security for enterprise. intexxia provides outsourcing solutions, based on innovative technology, in three core areas of data security: security audits, vulnerability management and 24-by-7 security supervision. Intexxia: managed security services ________________________________________________________________________ CONTACT ======= cert@intexxia.com INTEXXIA - www.intexxia.com Standard : +33 155 694 910 171, av. Georges Clémenceau Fax : +33 155 697 880 92024 Nanterre Cedex - FRANCE ________________________________________________________________________ DISCLAIMER ========== Intexxia provides these informations as a public service and "as is". Intexxia will not be held accountable for any damage or distress caused by the proper or improper usage of these materials. ________________________________________________________________________ COPYRIGHT ========= (c) Intexxia 2001. This document is property of intexxia. Feel free to use an ddsitribute this material as long as credit is given to Intexxia and the author. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBO4z+VTbZcT30RF3cEQLqtwCfeCtv0dAzBg9s29HW8pGbRms466IAoN37 vwamoT8vpXuZMkrS1RzMFXkm =WtmJ -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com