[Snort-sigs] False +ves for WEB-CLIENT Windows Media Player 7+ ActiveX Object Access sid: 4156

Russell Fulton r.fulton at ...575...
Thu Oct 6 15:48:23 EDT 2005


I'm seeing lots of hits on this from all over the place including our
own servers:

META
--------
SID	CID	TimeStamp		Signature
6	1983248	2005-10-06 11:46:30	WEB-CLIENT Windows Media Player 7+ ActiveX
Object Access
Sig ID
4156

Sensor Hostname				Sensor Interface
hihi.insec.auckland.ac.nz	new dmz sensor

IP
--------
Source Address	Dest Address	Ver	Hdr Len
65.54.153.254	130.216.191.183	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	1500	4984	2	0	115	53471

Resolved Source
secure.spaces.msn.com

Resolved Dest
gate1.ec.auckland.ac.nz

TCP
--------
Source Port	Dest Port	Seq		Ack		
80		39759		2796219062	3101585853
Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
8	0		16	17520	60498		0

Options
--------
None


Flags
--------
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X					

DATA
--------
3D73617665726F772073	=saverow s
74796C653D2270616464	tyle="padd
696E673A302038203220	ing:0 8 2
38223E0D0A203C746162	8">.. <tab
6C652063656C6C737061	le cellspa
63696E673D3020626F72	cing=0 bor
6465723D303E0D0A203C	der=0>.. <
74723E0D0A203C746420	tr>.. <td
77696474683D31303025	width=100%
3E3C2F74643E0D0A203C	></td>.. <
7464206E6F777261703E	td nowrap>
3C6120636C6173733D22	<a class="
4D504564697461222068	MPEdita" h
7265663D22687474703A	ref="http:
2F2F7370616365732E6D	//spaces.m
736E2E636F6D2F6D656D	sn.com/mem
626572732F71696E7169	bers/qinqi
6E416E6E69652F506572	nAnnie/Per
736F6E616C5370616365	sonalSpace
2E617370783F5F633031	.aspx?_c01
5F6D656D62657270726F	_memberpro
66696C6574696C653D73	filetile=s
686F7764656661756C74	howdefault
265F633D6D656D626572	&_c=member
70726F66696C6574696C	profiletil
65223E56696577207072	e">View pr
6F66696C652064657461	ofile deta
696C733C2F613E3C2F74	ils</a></t
643E0D0A203C2F74723E	d>.. </tr>
0D0A203C2F7461626C65	.. </table
3E0D0A203C2F74643E0D	>.. </td>.
0A203C2F74723E0D0A20	. </tr>..
3C2F7461626C653E3C2F	</table></
7370616365733A776964	spaces:wid
6765743E3C7370616365	get><space
733A7769646765742069	s:widget i
643D224D65646961506C	d="MediaPl
6179657222204D756C74	ayer" Mult
69496E7374616E63653D	iInstance=
2246616C73652220636C	"False" cl
6173733D2246756C6C52	ass="FullR
6567696F6E5769647468	egionWidth
2220506C6163656D656E	" Placemen
743D22416E7977686572	t="Anywher
6522204D6F7661626C65	e" Movable
3D2254727565223E3C64	="True"><d
69762069643D225F6374	iv id="_ct
6C335F4D6F64756C6548	l3_ModuleH
65616465725F4D61696E	eader_Main
50616E656C223E0D0A09	Panel">...
3C7461626C652063656C	<table cel
6C73706163696E673D22	lspacing="
302220636C6173733D22	0" class="
70686561646572222062	pheader" b
6F726465723D30207374	order=0 st
796C653D225749445448	yle="WIDTH
3A313030252220686569	:100%" hei
6768743D223232223E0D	ght="22">.
0A203C74723E0D0A203C	. <tr>.. <
746420636C6173733D22	td class="
6D6F645F746C63222077	mod_tlc" w
696474683D36206E6F77	idth=6 now
7261703E266E6273703B	rap>
3C2F74643E0D0A203C74	</td>.. <t
642077696474683D2231	d width="1
3030252220636C617373	00%" class
3D226D6F646865616422	="modhead"
3E0D0A203C7461626C65	>.. <table
2063656C6C7370616369	 cellspaci
6E673D22302220776964	ng="0" wid
74683D22313030252220	th="100%"
636C6173733D22666978	class="fix
65645461626C65207061	edTable pa
7274686561646572223E	rtheader">
0D0A203C74723E0D0A20	.. <tr>..
3C74642069643D222220	<td id=""
636C6173733D22626F6C	class="bol
6420656C6C6970736520	d ellipse
7061727444657461696C	partDetail
22206E6F777261703E57	" nowrap>W
696E646F7773204D6564	indows Med
696120506C617965723C	ia Player<
2F74643E0D0A203C7464	/td>.. <td
2020636C6173733D2270	  class="p
61727442756666657222	artBuffer"
20616C69676E3D227269	 align="ri
67687422206E6F777261	ght" nowra
703E3C2F74643E0D0A20	p></td>..
3C2F74723E0D0A203C2F	</tr>.. </
7461626C653E0D0A200D	table>.. .
0A203C2F74643E0D0A20	. </td>..
3C746420636C6173733D	<td class=
226D6F645F7472632220	"mod_trc"
77696474683D36206E6F	width=6 no
777261703E266E627370	wrap>
3B3C2F74643E0D0A203C	;</td>.. <
2F74723E3C2F7461626C	/tr></tabl
653E0D0A0D0A3C2F6469	e>....</di
763E3C7461626C652049	v><table I
443D2250544D65646961	D="PTMedia
506C61796572436F6E74	PlayerCont
61696E65722220436C61	ainer" Cla
73733D2270617274736D	ss="partsm
62206F70617175655061	b opaquePa
72744D61696E2220626F	rtMain" bo
726465723D2230222063	rder="0" c
656C6C70616464696E67	ellpadding
3D2230222063656C6C73	="0" cells
706163696E673D223022	pacing="0"
2077696474683D223130	 width="10
3025223E0D0A203C7472	0%">.. <tr
3E0D0A203C746420616C	>.. <td al
69676E3D2263656E7465	ign="cente
72223E0D0A203C6F626A	r">.. <obj
6563742077696474683D	ect width=
2231303025220D0A200D	"100%".. .
0A20636C61737369643D	. classid=
22636C7369643A364246	"clsid:6BF
35324135322D33393441	52A52-394A
2D313144332D42313533	-11D3-B153
2D303043303446373946	-00C04F79F
414136222069643D2250	AA6" id="P
544D65646961506C6179	TMediaPlay
6572223E0D0A203C7061	er">.. <pa
72616D206E616D653D22	ram name="
55524C222076616C7565	URL" value
3D22687474703A2F2F63	="http://c
6C69636B2E737564612E	lick.suda.
6564752E636E2F6D7033	edu.cn/mp3
2F67616E677461692F66	/gangtai/f
656D616C652F63616979	emale/caiy
696C696E672F6368656E	iling/chen
62616F2F31302E6D7033	bao/10.mp3
223E0D0A203C70617261	">.. <para
6D206E616D653D227261	m name="ra
7465222076616C75653D	te" value=
2231223E0D0A203C7061	"1">.. <pa
72616D206E616D653D22	ram name="
63757272656E74506F73	currentPos
6974696F6E222076616C	ition" val
75653D2230223E0D0A20	ue="0">..
3C706172616D206E616D	<param nam
653D22706C6179436F75	e="playCou
6E74222076616C75653D	nt" value=
2231223E0D0A203C	"1">.. <

DATA
--------
=saverow style="padding:0 8 2 8">.. <table cellspacing=0 bor
der=0>.. <tr>.. <td width=100%></td>.. <td nowrap><a class="
MPEdita" href="http://spaces.msn.com/members/qinqinAnnie/Per
sonalSpace.aspx?_c01_memberprofiletile=showdefault&_c=member
profiletile">View profile details</a></td>.. </tr>.. </table
>.. </td>.. </tr>.. </table></spaces:widget><spaces:widget i
d="MediaPlayer" MultiInstance="False" class="FullRegionWidth
" Placement="Anywhere" Movable="True"><div id="_ctl3_ModuleH
eader_MainPanel">...<table cellspacing="0" class="pheader" b
order=0 style="WIDTH:100%" height="22">.. <tr>.. <td class="
mod_tlc" width=6 nowrap> </td>.. <td width="100%" class
="modhead">.. <table cellspacing="0" width="100%" class="fix
edTable partheader">.. <tr>.. <td id="" class="bold ellipse
partDetail" nowrap>Windows Media Player</td>.. <td  class="p
artBuffer" align="right" nowrap></td>.. </tr>.. </table>.. .
. </td>.. <td class="mod_trc" width=6 nowrap> </td>.. <
/tr></table>....</div><table ID="PTMediaPlayerContainer" Cla
ss="partsmb opaquePartMain" border="0" cellpadding="0" cells
pacing="0" width="100%">.. <tr>.. <td align="center">.. <obj
ect width="100%".. .. classid="clsid:6BF52A52-394A-11D3-B153
-00C04F79FAA6" id="PTMediaPlayer">.. <param name="URL" value
="http://click.suda.edu.cn/mp3/gangtai/female/caiyiling/chen
bao/10.mp3">.. <param name="rate" value="1">.. <param name="
currentPosition" value="0">.. <param name="playCount" value=
"1">.. <




More information about the Snort-sigs mailing list