[Snort-sigs] Odd HTTP hits on 2 signatures

Hugo van der Kooij hvdkooij at ...481...
Thu Apr 1 14:03:04 EST 2004


Hi,

I get odd hits on the signatures 1070 (WebDAV search access) and 648
(SHELLCODE x86 NOOP) in repeating patterns much like:

04/01-06:20:46.265409  [**] [1:1070:6] WEB-MISC WebDAV search access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2] {TCP} XXX.XXX.XXX.XXX:3765 -> 192.168.1.2:80
04/01-06:20:47.323124  [**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] {TCP}
XXX.XXX.XXX.XXX:3765 -> 192.168.1.2:80
04/01-06:20:47.362624  [**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] {TCP}
XXX.XXX.XXX.XXX:3765 -> 192.168.1.2:80
.....

They always start with a single WebDAV request and then a load of these
NOOPs.

Is anyone aware of any known infection or known webbrowser that fires of
these requests? The webserver logs show not a single request from said IP
address.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.




More information about the Snort-sigs mailing list