[Snort-sigs] (spp_stream4) STEALTH ACTIVITY (unknown) detection

Josh.Sakofsky at ...1573... Josh.Sakofsky at ...1573...
Wed Jul 23 13:19:33 EDT 2003


when a user within my network tries to access http://www.sonystyle.com, i 
end up with these types of alerts:


------------------------------------------------------------------------------
#(4 - 136849) [2003-07-23 13:20:33] [snort/1]  (spp_stream4) STEALTH 
ACTIVITY (unknown) detection
IPv4: 129.33.21.28 -> XXX.XXX.XXX.XXX
      hlen=5 TOS=0 dlen=175 ID=35498 flags=0 offset=0 TTL=109 chksum=50030
TCP:  port=80 -> dport: 38279  flags=***APR** seq=15200
      ack=1772909165 off=5 res=0 win=8760 urp=0 chksum=44594
Payload:  length = 135

000 : 48 54 54 50 2F 31 2E 31 20 33 30 32 20 4F 62 6A   HTTP/1.1 302 Obj
010 : 65 63 74 20 6D 6F 76 65 64 0D 0A 4C 6F 63 61 74   ect moved..Locat
020 : 69 6F 6E 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E   ion: http://www.
030 : 73 6F 6E 79 73 74 79 6C 65 2E 63 6F 6D 2F 69 6E   sonystyle.com/in
040 : 74 65 72 73 68 6F 70 72 6F 6F 74 2F 65 43 53 2F   tershoproot/eCS/
050 : 53 74 6F 72 65 2F 65 6E 2F 69 6D 61 67 65 73 43   Store/en/imagesC
060 : 61 74 61 6C 6F 67 2F 68 70 2F 68 70 5F 70 5F 6C   atalog/hp/hp_p_l
070 : 75 78 75 72 69 6F 75 73 5F 31 33 33 78 34 30 2E   uxurious_133x40.
080 : 67 69 66 0D 0A 0D 0A                              gif....

------------------------------------------------------------------------------
#(4 - 136765) [2003-07-23 13:20:12] [snort/1]  (spp_stream4) STEALTH 
ACTIVITY (unknown) detection
IPv4: 129.33.21.28 -> XXX.XXX.XXX.XXX
      hlen=5 TOS=0 dlen=179 ID=59077 flags=0 offset=0 TTL=109 chksum=26447
TCP:  port=80 -> dport: 37913  flags=***APR** seq=22089
      ack=1979376528 off=5 res=0 win=8760 urp=0 chksum=53731
Payload:  length = 139

000 : 48 54 54 50 2F 31 2E 31 20 33 30 32 20 4F 62 6A   HTTP/1.1 302 Obj
010 : 65 63 74 20 6D 6F 76 65 64 0D 0A 4C 6F 63 61 74   ect moved..Locat
020 : 69 6F 6E 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E   ion: http://www.
030 : 73 6F 6E 79 73 74 79 6C 65 2E 63 6F 6D 2F 69 6E   sonystyle.com/in
040 : 74 65 72 73 68 6F 70 72 6F 6F 74 2F 65 43 53 2F   tershoproot/eCS/
050 : 53 74 6F 72 65 2F 65 6E 2F 69 6D 61 67 65 73 4F   Store/en/imagesO
060 : 6E 6C 69 6E 65 2F 68 65 61 64 65 72 2F 68 64 72   nline/header/hdr
070 : 5F 62 74 6E 5F 65 78 70 72 65 73 73 73 68 6F 70   _btn_expressshop
080 : 5F 6C 6F 2E 67 69 66 0D 0A 0D 0A                  _lo.gif....


does anybody have any idea why or how to turn this off?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030723/9fee736a/attachment.html>


More information about the Snort-sigs mailing list