[Snort-users] Unusual http traffic

Fraser Hugh hugh_fraser at ...2804...
Mon Oct 22 10:29:07 EDT 2001


I've been seeing the following URLs on our web server logs. They certainly
look suspicious.
 
GET
/`n@/..GetStartupInfoA..GetStartupInfoA..GetStartupInfoA..GetStartupInfo
A..GetStartupInfoA../winnt/system32/cmd.exe /c+dir 403 5 3135 133 15 - - -
-
GET
/`n@/..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..GetVersion..GetVersion..GetVersion..GetVersion..GetVersion../win
nt/system32/cmd.exe /c+dir 403 5 3135 108 16 - - - -
GET
/`n@/..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..SetLastError..SetLastError..SetLastError..SetLastError..SetLastE
rror../winnt/system32/cmd.exe /c+dir 403 5 3135 118 16 - - - -
GET
/`n@/..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..LookupPrivilegeValueA..LookupPrivilegeValueA..LookupPrivilegeValue
A..LookupPrivilegeValueA..LookupPrivilegeValueA../winnt/system32/cmd.exe
/c+dir 403 5 3135 163 16 - - - -
 
Nothing's picked up by Snort or NFR. Any ideas?
-----Original Message-----
From: Syed Mohammad Talha [mailto:talha at ...3474...]
Sent: Saturday, October 20, 2001 1:15 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] So many of false alerts


Hi,
 
I am getting so many of false alerts, like;
 
MISC source port 53 to <1024         7648
UDP scan                                               594
DNS zone transfer  <http://whitehats.com/IDS/IDS212> [arachNIDS]        396
TCP ******S* scan                                    291
Virus - Possible pif Worm                    197
and lots of more, can some one help me in reducing these.
 
Regards.
Talha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011022/5a20bf94/attachment.html>


More information about the Snort-users mailing list