.N IIS - Code Red Worm 	#Policy Name
.L 2 	#Policy structure
.D This policy detects multiple versions of the Code Red worm.  This worm attempts to overflow a buffer in the ISAPI extensions of the IIS server. 	#Policy Description
.V 1012341867 	#Policy revision number
.Z 143 	#Policy ID
.Z 143 	#Policy ID
.R Code Red Detected 	#Rule Definition
..D Reference:  Symantec Security Response Code Red I/II Writeups 	#Rule Description
..Z 144 	#Rule ID
..K 	#Rule And Select logic
..V 90 	#Rule Value
..S 	#Select Clause(s)
...G HTTP Request Types 	#System Message
....T *DELETE* 	#Regular text
....T *GET* 	#Regular text
....T *HEAD* 	#Regular text
....T *POST* 	#Regular text
....C 0 	#Case sensitivity
....Z 146 	#ID of the clause
..S 	#Select Clause(s)
...G IIS Extentions Requests 	#System Message
....T *.ida?AAAAAAAAAA* 	#Regular text
....T *.ida?NNNNNNNNNN* 	#Regular text
....T *.ida?XXXXXXXXXX* 	#Regular text
....T *.idq?AAAAAAAAAA* 	#Regular text
....T *.idq?NNNNNNNNNN* 	#Regular text
....T *.idq?XXXXXXXXXX* 	#Regular text
....C 1 	#Case sensitivity
....Z 147 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 148 	#ID of the clause