snort 1.9.0 identified it as [**] WEB-IIS CodeRed v2 root.exe access [**] 10/11-22:26:06.822248 217.219.177.228:1803 -> my.ip.address:80 TCP TTL:112 TOS:0x0 ID:61416 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x1963F358 Ack: 0xE45FF7F5 Win: 0x4238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ iptables didn't pick that one up. Code Red came in using cmd.exe. I had no rule for that. philipp
-----Original Message----- From: Jörg Fuchs [mailto:jf@meriadon.de] Sent: Friday, October 11, 2002 11:20 PM To: suse-security@suse.com Subject: AW: [suse-security] RE: does anybody know such a log
Philipp wrote:
iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string "/default.ida?" -j DROP I'm implementing that and lets see how good the stuff works.
I would be interested in the outcomes of your test. Especially the impact on your firewall's load. Please post your expierence - thanx *g*
Joerg
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here