On Fri, 11 Oct 2002 mailinglists@belfin.ch wrote:
snort 1.9.0 identified it as
[**] WEB-IIS CodeRed v2 root.exe access [**] 10/11-22:26:06.822248 217.219.177.228:1803 -> my.ip.address:80 TCP TTL:112 TOS:0x0 ID:61416 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x1963F358 Ack: 0xE45FF7F5 Win: 0x4238 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
iptables didn't pick that one up. Code Red came in using cmd.exe. I had no rule for that.
You probably used the article at: http://articles.linuxguru.net/view/125 as a guideline. Unfortunately the article gives an example of 3 rules but no further information about the pattern matching syntax. Has anyone got a link to the precise syntax of those those pattern matching stuff for iptables? Anyway, I'll see what google will find ... Wolfgang -- shconnect Internet Service web: http://www.shconnect.de EMail: info@shconnect.de Bundesstrasse 2, 24392 Dollrottfeld, Fed. Rep. Germany phone: +49 4641 644