[Snort-sigs] FPs: MS-SQL probe response overflow attempt,Sig ID,2329

Russell Fulton r.fulton at ...575...
Thu Feb 9 12:53:03 EST 2006


have a bunch of these from *one* tcp session which originated in our
resnet.  No idea what the traffic is unfortunately, it is some sort of
large binary transfer.

Russell

META
--------
SID	CID	TimeStamp		Signature
6	7972006	2006-02-09 15:11:45	MS-SQL probe response overflow attempt
Sig ID
2329

Sensor Hostname				Sensor Interface
hihi.insec.auckland.ac.nz	new dmz sensor

IP
--------
Source Address	Dest Address	Ver	Hdr Len
130.216.1.194	72.65.10.239	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	894	60596	0	0	127	29680

Resolved Source
ororke.resnet.auckland.ac.nz

Resolved Dest
pool-72-65-10-239.bflony.east.verizon.net

UDP
--------
Source Port	Dest Port	Length	Checksum
51914		17910		874	38096

DATA
--------
05170DAE9F53744BAD6E	.....StK.n
697061F103D8327F96F7	ipa...2...
9203EE764CCEA9EA55C6	...vL...U.
1966DD264A0DEBEB368F	.f.&J...6.
D4DACAE20CC7018933CD	........3.
61722CE75BD6B6EE2561	ar,.[...%a
C84933E75886BFF74E52	.I3.X...NR
FCEAA42735870BA282F0	...'5.....
7E6A8807FD3C400A84D8	~j...<@...
2D6E5F9255CA6FF5B0E3	-n_.U.o...
40496A89F33F013E2094	@Ij..?.> .
941EA9477EB33D4A386E	...G~.=J8n
D03C386C051EA911352C	.<8l....5,
ACA94280D720B3CE2285	..B.. ..".
401549E6228F1AA422EF	@.I."...".
B17E86FCA707DC903393	.~......3.
14D2823E51D4CE81CB9A	...>Q.....
522745EC4D82D0FA000A	R'E.M.....
CCAC21AFB5ACF88FAFE4	..!.......
C214B0FBA0000AF421AF	........!.
0D55363E0DA15499689A	.U6>..T.h.
3BCB7E772F64B3889311	;.~w/d....
9166D2B510706D4FF60C	.f...pmO..
B7D361F9AB43F48E459F	..a..C..E.
2DFEFB10C0F31FE1CFAD	-.........
BB80C27E3738FD6E1F9D	...~78.n..
B66DB2BA55F13F273135	.m..U.?'15
33088361AC6632EC31A9	3..a.f2.1.
505BBB4401CC78B4B936	P[.D..x..6
A771FD4B21A43F1914F1	.q.K!.?...
9A44F24D92E60EEB36E8	.D.M....6.
7C16B9E349018DCF1973	|...I....s
06E8012AA9E3020C3571	...*....5q
DD661CB1C2CC14B0633A	.f......c:
71459E3C241C49B97B4E	qE.<$.I.{N
8F75AD36494F38964520	.u.6IO8.E
057DFD2897171EABE5CC	.}.(......
942868B30A416E3C6474	.(h..An<dt
18F6EF2D7BA6BB9FE2A3	...-{.....
B7985C383972EDE06562	..\89r..eb
A338231B910ACC013831	.8#.....81
71A7D8036E865A799E23	q...n.Zy.#
1532E8819DF78180A1E1	.2........
A107FA0FE24D4C05348F	.....ML.4.
B9EB1E9055642816A338	....Ud(..8
398D9783675943E661E2	9...gYC.a.
D451DC75C268BA70057A	.Q.u.h.p.z
2E59D8230410C6B21822	.Y.#....."
8411382F95DA9CF728E2	..8/....(.
5214B7504670E4469CF1	R..PFp.F..
0B1D8EC79996A901CDCC	..........
56F8ABB509D96691896F	V.....f..o
6C3320362BCDEE0A5ECD	l3 6+...^.
AB3E5A60698516CC518B	.>Z`i...Q.
5691B14816AA840A262F	V..H....&/
8F48E1A8D318FDFE9276	.H.......v
2EE0C436FEECD66121BD	...6...a!.
C5665E91BF5B1D444599	.f^..[.DE.
8FB92CA70E6EEF8F11DF	..,..n....
2468013AED320370D312	$h.:.2.p..
A2C0774FF9A4207499C0	..wO.. t..
C03EFAF5328205931BCE	.>..2.....
858D52DC14C82BFD20BA	..R...+. .
0FC7C33AC3512078B1E0	...:.Q x..
1CC0F3E006FF3E6AFE5C	......>j.\
A682AC336B50E2F60C40	...3kP...@
FA6DB97EF02C1BD9803F	.m.~.,...?
A3D45925662BDD449B52	..Y%f+.D.R
E6BF5D67721F7D829A98	..]gr.}...
BA41B8A81D0231573854	.A....1W8T
B8EE230EEB803A52C35D	..#...:R.]
6125A0CDAC738D7D5F98	a%...s.}_.
D2B92FC3F76839090CE6	../..h9...
E1555DE91D6A416FCD50	.U]..jAo.P
C11DBE2B97FFA2AC43F5	...+....C.
8915DD7D035DF2FA48A9	...}.]..H.
27EF4011066CA163CA88	'. at ...3196...
B0216AB7676E390F2212	.!j.gn9.".
3E41864A81AAAE792397	>A.J...y#.
C2C80612D9ACEDF7AC47	.........G
296F02227160D780CF93	)o."q`....
433107B0781105339736	C1..x..3.6
730853CF4E13E7C9C935	s.S.N....5
8A925344A6845FE82D3B	..SD.._.-;
E8424C64A911300830EB	.BLd..0.0.
094F63DAFAEF83E90FA1	.Oc.......
33DE1724C732	3..$.2





More information about the Snort-sigs mailing list