TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
I have a similar concern. The suggested signature isn�t very creative ;-)
I would prefer to configure a more specific signature string in order to not
get false Code Red alarms. By the suggested one, any kind of access to
"default.ida" would be triggered as a Core Red activity.
Can�t we add the lots of N in the RS� signature in order to it becomes more
precise?
Regards,
Anchises M. G. de Paula
Coordenador de Seguran�a da Informa��o
Vento
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Dan Wangler
Sent: Tuesday, July 31, 2001 10:57 AM
To: [EMAIL PROTECTED]
Subject: Code Red for RealSecure
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
I received the X-Press alert for Code Red yesterday. In it was some good
information on what it is and does and how to detect it.
I do have a question concerning the RS signature. In the text of the alert,
it says that Code Red sends the string "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a".
However, the signature string for RS is simply "default\.ida$". I do not
understand how the two can relate since the RS string does not match that
part of the attack. Can someone explain it for me?
Thanks
Dan Wangler, GIAC Certified Intrusion Analyst
IT Security Engineering and Development
IT Security, Texas Instruments, Inc.
6500 Chase Oaks Blvd., MS 8417
Plano, Texas, 75023, Phone: 972-927-8304
Email: [EMAIL PROTECTED]
