RE: [suse-security] RE: does anybody know such a log
snort 1.9.0 identified it as [**] WEB-IIS CodeRed v2 root.exe access [**] 10/11-22:26:06.822248 217.219.177.228:1803 -> my.ip.address:80 TCP TTL:112 TOS:0x0 ID:61416 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x1963F358 Ack: 0xE45FF7F5 Win: 0x4238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ iptables didn't pick that one up. Code Red came in using cmd.exe. I had no rule for that. philipp
-----Original Message----- From: Jörg Fuchs [mailto:jf@meriadon.de] Sent: Friday, October 11, 2002 11:20 PM To: suse-security@suse.com Subject: AW: [suse-security] RE: does anybody know such a log
Philipp wrote:
iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string "/default.ida?" -j DROP I'm implementing that and lets see how good the stuff works.
I would be interested in the outcomes of your test. Especially the impact on your firewall's load. Please post your expierence - thanx *g*
Joerg
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Fri, 11 Oct 2002 mailinglists@belfin.ch wrote:
snort 1.9.0 identified it as
[**] WEB-IIS CodeRed v2 root.exe access [**] 10/11-22:26:06.822248 217.219.177.228:1803 -> my.ip.address:80 TCP TTL:112 TOS:0x0 ID:61416 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x1963F358 Ack: 0xE45FF7F5 Win: 0x4238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
iptables didn't pick that one up. Code Red came in using cmd.exe. I had no rule for that.
You probably used the article at: http://articles.linuxguru.net/view/125 as a guideline. Unfortunately the article gives an example of 3 rules but no further information about the pattern matching syntax. Has anyone got a link to the precise syntax of those those pattern matching stuff for iptables? Anyway, I'll see what google will find ... Wolfgang -- shconnect Internet Service web: http://www.shconnect.de EMail: info@shconnect.de Bundesstrasse 2, 24392 Dollrottfeld, Fed. Rep. Germany phone: +49 4641 644
participants (2)
-
mailinglists@belfin.ch
-
Wolfgang Kueter