07-18-2001 10:01 AM - edited 03-08-2019 08:29 PM
I've created this string match signature following the suggestion in the eEye analysis of the worm.
I'd like the moderators to check if it makes sense, and also tell us if there's an 'official' Cisco sig coming.
/default.ida?[A-Z][a-z][0-9]+%u9090%u6858%ucbd3%u7801%u9090+[]
Ciao,
Giovanni
07-18-2001 11:36 AM
I'm forwarding your string to the guys who can check it out. There is an "official" string sig posted here in the NetPro forums. Look for a message title
"Cisco Secure IDS/NetRanger Custom String Match Signature for Remote" (name got cut off)
Buffer Overflow in Microsoft Index Server ISAPI Extension in IIS 4.0 and 5.0.
It will catch both types of use of the .ida overflow (code and DoS). That is, its not specific to Red Worm, but detects the general case of using .ida buffer overflows.
SC
07-18-2001 01:45 PM
Giovanni,
Your signature needs some minor changes to make it functional. A '.' is a special character (it means anything except newline) and needs to be enclosed in a character class bracket '[]'.
try this:
/default[.]ida[?][a-zA-Z0-9]+%u9090%u6858%ucbd3%u7801%u9090
-Blaine
07-19-2001 04:34 PM
Blaine,
FWIF your sig does not work. :-( Not technical enough to repair it, but with 35000 hits of the worm today (both inbound and outbound) the signature above did not catch it. I used yours rather than the original, so I can't speak of it. I do know that the original ISAPI bufer overflow signature here did catch it so we knew which systems were infected and reattacking.
Thanks for the effort. Too tired after what today was like to flame. :-) If you're on the net with your probes I'm sure you'll get a chance to try a live detect. If not, here's the original eeye final analysis excerpt for IDS:
"How to setup your IDS to detect this specific worm?
---------------------------------------------------
The following is part of the packet data that is sent for this .ida "Code Red" worm attack:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Just add that to your IDS signature database."
07-20-2001 01:22 AM
After testing I changed it to the following, which worked flawlessly: 3000 detects over 24h, towards a single class C net. (0 infections :)
/default\.ida\?[a-zA-Z0-9]+%u9090%u6858%ucbd3%u7801%u9090
You're right that it was not so useful after all, the older and more generic sig detected it anyway.
Giovanni
07-20-2001 06:39 AM
Blaine also published the RegEx syntax under the thread that posted the generic .ida buffer overflow. You can use that as an aid for generating custom signatures. Blaine didn't check the operation of the string you sent in, he only checked it for syntax based on what he thought you were trying to do.
SC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide