[Snort-users] Unusual http traffic

Fraser Hugh hugh_fraser at ...2804...
Mon Oct 22 10:51:01 EDT 2001


I've turned off the Code Red and Nimda alert rules since we've comfortable
with our ability to deal with those on the servers themselves. It's more the
balance of the URL that looked unusual.

-----Original Message-----
From: Kevin Brown [mailto:Kevin.M.Brown at ...1022...]
Sent: Monday, October 22, 2001 1:34 PM
To: 'Fraser Hugh'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Unusual http traffic



Do you have a rule in snort to catch a cmd.exe request?  If not and you
aren't using the http_decode preprocessor then that could be the reason.

-----Original Message----- 
From: Fraser Hugh [ mailto:hugh_fraser at ...2804...
<mailto:hugh_fraser at ...2804...> ] 
Sent: Monday, October 22, 2001 10:28 
To: snort-users at lists.sourceforge.net 
Subject: [Snort-users] Unusual http traffic 


I've been seeing the following URLs on our web server logs. They certainly
look suspicious. 
  
GET
/`n@/..GetStartupInfoA..GetStartupInfoA..GetStartupInfoA..GetStartupInfo
A..GetStartupInfoA../winnt/system32/cmd.exe /c+dir 403 5 3135 133 15 - - -
-

GET
/`n@/..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -

GET
/`n@/..GetVersion..GetVersion..GetVersion..GetVersion..GetVersion../win
nt/system32/cmd.exe /c+dir 403 5 3135 108 16 - - - -

GET
/`n@/..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -

GET
/`n@/..SetLastError..SetLastError..SetLastError..SetLastError..SetLastE
rror../winnt/system32/cmd.exe /c+dir 403 5 3135 118 16 - - - -

GET
/`n@/..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -

GET
/`n@/..LookupPrivilegeValueA..LookupPrivilegeValueA..LookupPrivilegeValue
A..LookupPrivilegeValueA..LookupPrivilegeValueA../winnt/system32/cmd.exe
/c+dir 403 5 3135 163 16 - - - -


Nothing's picked up by Snort or NFR. Any ideas? 
-----Original Message----- 
From: Syed Mohammad Talha [ mailto:talha at ...3474...
<mailto:talha at ...3474...> ] 
Sent: Saturday, October 20, 2001 1:15 AM 
To: snort-users at lists.sourceforge.net 
Subject: [Snort-users] So many of false alerts 


Hi, 

I am getting so many of false alerts, like; 

MISC source port 53 to <1024         7648 
UDP scan                                               594 
DNS zone transfer [arachNIDS]        396 
TCP ******S* scan                                    291 
Virus - Possible pif Worm                    197 
and lots of more, can some one help me in reducing these. 

Regards. 
Talha 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011022/ec30d295/attachment.html>


More information about the Snort-users mailing list