[Snort-users] spurious .ida attempt detects

Martin Roesch roesch at ...1935...
Mon Nov 19 19:09:02 EST 2001


Hi Russel,
     What logging mode are you using?

     -Marty

Russell Fulton wrote:
> 
> Hi,
>         I am running snort-1.8.1-RELEASE on a debian box.  For some
> time now I have been getting alerts for the '.ida attemp' but no
> packets were logged. I reported this a couple of weeks ago but I did
> not see any responses.
> 
> I have just realised that there is something else odd about these
> alerts, the MAC addresses are both zero:
> 
> [**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**]
>  [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
>  11/16-14:39:24.545389 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x24E
>  130.123.128.24:1754 -> 130.216.35.105:80 TCP TTL:240 TOS:0x10 ID:0
> IpLen:20 DgmLen:576
>  ***AP*** Seq: 0xCB6CF3A1 Ack: 0xE03784F8 Win: 0x7DA0 TcpLen: 20
> 
> In this particular hour we logged 9 .ida alerts and none had packet
> data recorded (and all were also missing the MAC addresses).  Of these
> at least two were not code red (I can tell from the argus logs) and in
> one case I have verified with the server admin).
> 
> Any ideas what is going on?
> 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-users mailing list