TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
How about some documentation that outlines how to specify regular expressions
using RS, in more details.
Thanks
|--------+----------------------->
| | "Larimer, Jon|
| | (ISS |
| | Dunwoody)" |
| | <JLarimer@iss|
| | .net> |
| | |
| | 01/08/2001 |
| | 06:59 AM |
| | |
|--------+----------------------->
>--------------------------------------------------------------------|
| |
| To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, |
| [EMAIL PROTECTED] |
| cc: (bcc: Jas Amidzic/Staff/ABS) |
| Subject: RE: Code Red for RealSecure |
>--------------------------------------------------------------------|
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Dan, In the current version of the user-defined signature parser for
RealSecure nothing after the ? is matched. Lots of people have been asking
us to fix that so we will soon (I think the fix is going in to X-Press
Update (XPU) 3.2). The $ is the end-of-string matcher so when the worm hits
you, the only thing that gets passed to the regular expression parser is
"default.ida". When we release an XPU with a fix you will be able to use a
signature like "default.ida\?NNNNN". There are a few other vulnerabilities
that could be detected better if we looked for what comes after the ?. I
hope this helps,
-jon
=====================================================================
Jon Larimer | Direct Dial: (404) 236-2843
Systems Engineer / ISS X-Force Team | ISS Front Desk: (404) 236-2600
Internet Security Systems, Inc. |
=====================================================================
> -----Original Message-----
> From: Dan Wangler [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 31, 2001 9:57 AM
> To: [EMAIL PROTECTED]
> Subject: Code Red for RealSecure
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help
> with any problems!
> --------------------------------------------------------------
> --------------
>
> I received the X-Press alert for Code Red yesterday. In it
> was some good
> information on what it is and does and how to detect it.
>
> I do have a question concerning the RS signature. In the
> text of the alert,
> it says that Code Red sends the string "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNN
> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
> 0%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0
> 000%u00=a".
>
> However, the signature string for RS is simply
> "default\.ida$". I do not
> understand how the two can relate since the RS string does
> not match that
> part of the attack. Can someone explain it for me?
>
> Thanks
>
>
> Dan Wangler, GIAC Certified Intrusion Analyst
> IT Security Engineering and Development
> IT Security, Texas Instruments, Inc.
> 6500 Chase Oaks Blvd., MS 8417
> Plano, Texas, 75023, Phone: 972-927-8304
> Email: [EMAIL PROTECTED]
>
>
>
>
-----------------------------------------------
ABS Australian Business Number: 26 331 428 522 ABS Web Site: www.abs.gov.au
