TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Don:
The back-slash \ in default\.ida$ is there to indicate to the RS regex
parser that the period is to be read literally as a period and NOT to be
considered a period meta-chracter ( a regex period = 1 character of any
description, except newline). And having default.ida on your system is all
you need for an indication that the VULNERABILITY is there, so looking for a
GET of default.ida is all you need to indicate that the THREAT is there. Of
course, you could always add the binary code portion of the attack at the
end of the packet, but why type more when less will do?
BTW, the folks at ISS Support educated me on the $ (EOL indicator) in teh
suggested deault\.ida$ string recommendation. Using a User Defined Event
context of URL Data, any part of the line that includes CGI parameters
(including the ? and all subsequent data) is not passed to the RS parser.
So the GET line effectively ends for the RS parser at the end of the
default.ida phrase. Hence default\.ida$
Jim Lindley
-----Original Message-----
From: Dan Wangler [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 31, 2001 9:57 AM
To: [EMAIL PROTECTED]
Subject: Code Red for RealSecure
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
I received the X-Press alert for Code Red yesterday. In it was some good
information on what it is and does and how to detect it.
I do have a question concerning the RS signature. In the text of the alert,
it says that Code Red sends the string "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a".
However, the signature string for RS is simply "default\.ida$". I do not
understand how the two can relate since the RS string does not match that
part of the attack. Can someone explain it for me?
Thanks
Dan Wangler, GIAC Certified Intrusion Analyst
IT Security Engineering and Development
IT Security, Texas Instruments, Inc.
6500 Chase Oaks Blvd., MS 8417
Plano, Texas, 75023, Phone: 972-927-8304
Email: [EMAIL PROTECTED]
