[Snort-sigs] False +ves for COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost,Sig ID,100000138

Russell Fulton r.fulton at ...575...
Tue Oct 4 17:45:45 EDT 2005


Traffic from google maps triggers this sig with local host in the
referer...

R

META
--------
SID	CID	TimeStamp		Signature
6	1852551	2005-10-04 16:30:05	COMMUNITY WEB-IIS Remote IIS Server
Name spoof attempt localhost
Sig ID
100000138

Sensor Hostname				Sensor Interface
hihi.insec.auckland.ac.nz	new dmz sensor

IP
--------
Source Address	Dest Address	Ver	Hdr Len
130.216.97.96	66.102.7.99	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	414	31505	2	0	125	21319

Resolved Source
wks-104-151-2.isom.auckland.ac.nz

Resolved Dest
Could Not Resolve


TCP
--------
Source Port	Dest Port	Seq		Ack		
3603		80		2863650286	3336085125
Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
5	0		24	64512	33346		0

Options
--------
None


Flags
--------
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X	X				

DATA
--------
474554202F6D6170733F	GET /maps?
66696C653D6170692676	file=api&v
3D31266B65793D414251	=1&key=ABQ
49414141417335554534	IAAAAs5UE4
3731715738444D346A43	71qW8DM4jC
625062514B3778535075	bPbQK7xSPu
784E726C526734446476	xNrlRg4Ddv
6D674C5F754B397A5073	mgL_uK9zPs
654C5041525465703951	eLPARTep9Q
70514965707758793031	pQIepwXy01
377A38636D527A62424F	7z8cmRzbBO
6F4E7720485454502F31	oNw HTTP/1
2E310D0A416363657074	.1..Accept
3A202A2F2A0D0A526566	: */*..Ref
657265723A2068747470	erer: http
3A2F2F6C6F63616C686F	://localho
73742F54657374576562	st/TestWeb
2F4D61702E617370780D	/Map.aspx.
0A4163636570742D4C61	.Accept-La
6E67756167653A20656E	nguage: en
2D6E7A0D0A4163636570	-nz..Accep
742D456E636F64696E67	t-Encoding
3A20677A69702C206465	: gzip, de
666C6174650D0A557365	flate..Use
722D4167656E743A204D	r-Agent: M
6F7A696C6C612F342E30	ozilla/4.0
2028636F6D7061746962	 (compatib
6C653B204D5349452036	le; MSIE 6
2E303B2057696E646F77	.0; Window
73204E5420352E313B20	s NT 5.1;
5356313B202E4E455420	SV1; .NET
434C5220312E312E3433	CLR 1.1.43
3232290D0A486F73743A	22)..Host:
206D6170732E676F6F67	 maps.goog
6C652E636F6D0D0A436F	le.com..Co
6E6E656374696F6E3A20	nnection:
4B6565702D416C697665	Keep-Alive
0D0A0D0A	....

DATA
--------
GET /maps?file=api&v=1&key=ABQIAAAAs5UE471qW8DM4jCbPbQK7xSPu
xNrlRg4DdvmgL_uK9zPseLPARTep9QpQIepwXy017z8cmRzbBOoNw HTTP/1
.1..Accept: */*..Referer: http://localhost/TestWeb/Map.aspx.
.Accept-Language: en-nz..Accept-Encoding: gzip, deflate..Use
r-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1; .NET CLR 1.1.4322)..Host: maps.google.com..Connection:
Keep-Alive....




More information about the Snort-sigs mailing list