[Snort-users] spurious .ida attempt detects
r.fulton at ...3809...
Thu Nov 15 19:56:02 EST 2001
I am running snort-1.8.1-RELEASE on a debian box. For some
time now I have been getting alerts for the '.ida attemp' but no
packets were logged. I reported this a couple of weeks ago but I did
not see any responses.
I have just realised that there is something else odd about these
alerts, the MAC addresses are both zero:
[**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 10]
11/16-14:39:24.545389 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x24E
184.108.40.206:1754 -> 220.127.116.11:80 TCP TTL:240 TOS:0x10 ID:0
***AP*** Seq: 0xCB6CF3A1 Ack: 0xE03784F8 Win: 0x7DA0 TcpLen: 20
In this particular hour we logged 9 .ida alerts and none had packet
data recorded (and all were also missing the MAC addresses). Of these
at least two were not code red (I can tell from the argus logs) and in
one case I have verified with the server admin).
Any ideas what is going on?
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the Snort-users