[Snort-users] spurious .ida attempt detects

Russell Fulton r.fulton at ...3809...
Thu Nov 15 19:56:02 EST 2001


Hi,
	I am running snort-1.8.1-RELEASE on a debian box.  For some 
time now I have been getting alerts for the '.ida attemp' but no 
packets were logged. I reported this a couple of weeks ago but I did 
not see any responses.

I have just realised that there is something else odd about these 
alerts, the MAC addresses are both zero:

[**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**]
 [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
 11/16-14:39:24.545389 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x24E
 130.123.128.24:1754 -> 130.216.35.105:80 TCP TTL:240 TOS:0x10 ID:0 
IpLen:20 DgmLen:576
 ***AP*** Seq: 0xCB6CF3A1 Ack: 0xE03784F8 Win: 0x7DA0 TcpLen: 20

In this particular hour we logged 9 .ida alerts and none had packet 
data recorded (and all were also missing the MAC addresses).  Of these 
at least two were not code red (I can tell from the argus logs) and in 
one case I have verified with the server admin).

Any ideas what is going on?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-users mailing list