[Snort-devel] Oddities in Build

Erek Adams erek at ...105...
Wed Aug 29 09:07:37 EDT 2001


This output in from the full alerts doesn't seem right:

[**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 10]
08/28/01-17:39:59.621713 206.14.129.203:1446 -> x.x.x.x:80
TCP TTL:124 TOS:0x0 ID:42467 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x39CD02D  Ack: 0x5FC2DCB1  Win: 0x16D0  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS552]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]

[**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**]
[**] [1:1002:1] WEB-IIS cmd.exe access [**]
[Classification: Attempted User Privilege Gain] [Priority: 8]
08/28/01-17:39:59.629922 206.14.129.203:1446 -> x.x.x.x:80
TCP TTL:124 TOS:0x0 ID:42468 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x39CD5E1  Ack: 0x5FC2DCB1  Win: 0x16D0  TcpLen: 20

[Classification: Attempted Administrator Privilege Gain] [Priority: 10]
08/28/01-17:39:59.621692 206.14.129.203:1446 -> x.x.x.x:80
TCP TTL:124 TOS:0x0 ID:42467 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x39CD02D  Ack: 0x5FC2DCB1  Win: 0x16D0  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS552]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]


Also, ports aren't listed in the portscan output.  Did I imagine that got
added in build 75?


[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 213.237.113.116 (THRESHOLD
4 connections exceeded in 0 seconds) [**]
08/28/01-18:00:43.969279

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 213.237.113.116 (THRESHOLD
4 connections exceeded in 0 seconds) [**]
08/28/01-18:00:44.008916

[**] [100:2:1] spp_portscan: portscan status from 213.237.113.116: 9
connections across 9 hosts: TCP(9), UDP(0) [**]
08/28/01-18:00:52.803065

[**] [100:2:1] spp_portscan: portscan status from 213.237.113.116: 9
connections across 9 hosts: TCP(9), UDP(0) [**]
08/28/01-18:00:52.850901

[**] [100:3:1] spp_portscan: End of portscan from 213.237.113.116: TOTAL
time(0s) hosts(9) TCP(9) UDP(0) [**]
08/28/01-18:01:06.643005

[**] [100:3:1] spp_portscan: End of portscan from 213.237.113.116: TOTAL
time(0s) hosts(9) TCP(9) UDP(0) [**]
08/28/01-18:01:06.663753


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






More information about the Snort-devel mailing list