[Snort-users] Unusual http traffic

Kevin Brown Kevin.M.Brown at ...1022...
Mon Oct 22 10:38:02 EDT 2001


Do you have a rule in snort to catch a cmd.exe request?  If not and you
aren't using the http_decode preprocessor then that could be the reason.

-----Original Message-----
From: Fraser Hugh [mailto:hugh_fraser at ...2804...]
Sent: Monday, October 22, 2001 10:28
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Unusual http traffic


I've been seeing the following URLs on our web server logs. They certainly
look suspicious.
 
GET
/`n@/..GetStartupInfoA..GetStartupInfoA..GetStartupInfoA..GetStartupInfo
A..GetStartupInfoA../winnt/system32/cmd.exe /c+dir 403 5 3135 133 15 - - -
-
GET
/`n@/..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..GetVersion..GetVersion..GetVersion..GetVersion..GetVersion../win
nt/system32/cmd.exe /c+dir 403 5 3135 108 16 - - - -
GET
/`n@/..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..SetLastError..SetLastError..SetLastError..SetLastError..SetLastE
rror../winnt/system32/cmd.exe /c+dir 403 5 3135 118 16 - - - -
GET
/`n@/..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..LookupPrivilegeValueA..LookupPrivilegeValueA..LookupPrivilegeValue
A..LookupPrivilegeValueA..LookupPrivilegeValueA../winnt/system32/cmd.exe
/c+dir 403 5 3135 163 16 - - - -
 
Nothing's picked up by Snort or NFR. Any ideas?
-----Original Message-----
From: Syed Mohammad Talha [mailto:talha at ...3474...]
Sent: Saturday, October 20, 2001 1:15 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] So many of false alerts


Hi,

I am getting so many of false alerts, like;

MISC source port 53 to <1024         7648
UDP scan                                               594
DNS zone transfer [arachNIDS]        396
TCP ******S* scan                                    291
Virus - Possible pif Worm                    197
and lots of more, can some one help me in reducing these.

Regards.
Talha




More information about the Snort-users mailing list