TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Dan, In the current version of the user-defined signature parser for
RealSecure nothing after the ? is matched. Lots of people have been asking
us to fix that so we will soon (I think the fix is going in to X-Press
Update (XPU) 3.2). The $ is the end-of-string matcher so when the worm hits
you, the only thing that gets passed to the regular expression parser is
"default.ida". When we release an XPU with a fix you will be able to use a
signature like "default.ida\?NNNNN". There are a few other vulnerabilities
that could be detected better if we looked for what comes after the ?. I
hope this helps,
-jon
=====================================================================
Jon Larimer | Direct Dial: (404) 236-2843
Systems Engineer / ISS X-Force Team | ISS Front Desk: (404) 236-2600
Internet Security Systems, Inc. |
=====================================================================
> -----Original Message-----
> From: Dan Wangler [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 31, 2001 9:57 AM
> To: [EMAIL PROTECTED]
> Subject: Code Red for RealSecure
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help
> with any problems!
> --------------------------------------------------------------
> --------------
>
> I received the X-Press alert for Code Red yesterday. In it
> was some good
> information on what it is and does and how to detect it.
>
> I do have a question concerning the RS signature. In the
> text of the alert,
> it says that Code Red sends the string "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
> 0%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0
> 000%u00=a".
>
> However, the signature string for RS is simply
> "default\.ida$". I do not
> understand how the two can relate since the RS string does
> not match that
> part of the attack. Can someone explain it for me?
>
> Thanks
>
>
> Dan Wangler, GIAC Certified Intrusion Analyst
> IT Security Engineering and Development
> IT Security, Texas Instruments, Inc.
> 6500 Chase Oaks Blvd., MS 8417
> Plano, Texas, 75023, Phone: 972-927-8304
> Email: [EMAIL PROTECTED]
>
>
>
>
