[Snort-users] Code Green???

Matthew Francis mf at ...2811...
Tue Sep 18 07:29:04 EDT 2001


Hi,

I'm getting LOADS of what looks like New Code Red attacks - Could this be
Code Green???  From one single 'attacking' PC I'm getting the following log
(There's 2 IDS's 1:Internet Facing, 2:DMZ):-

18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1264 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1264 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1275 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1275 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: WEB-../..:
{Attacking PC}:1294 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: WEB-../..:
{Attacking PC}:1304 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1316 -> {Destination Server}:80
18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1316 -> {Destination Server}:80
18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1316 -> {Destination Server}:80
18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1316 -> {Destination Server}:80
18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: WEB-../..:
{Attacking PC}:1316 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1323 -> {Destination Server}:80
18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1323 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1323 -> {Destination Server}:80
18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1331 -> {Destination Server}:80
18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1331 -> {Destination Server}:80
18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1341 -> {Destination Server}:80
18-09-2001	15:13:56	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1341 -> {Destination Server}:80
18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1341 -> {Destination Server}:80
18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1350 -> {Destination Server}:80
18-09-2001	15:13:56	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1350 -> {Destination Server}:80
18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1350 -> {Destination Server}:80
18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
8]: {Attacking PC}:1395 -> {Destination Server}:80

Obviously this is a massive log for one 'attack' attempt and I'm getting
this a LOT from all different IP address ranges which are all standard dial
up accounts (the ones I've checked anyway) with what looks like unpatched
IIS servers.

Anyone shed any light???

Thanks

-----
Matthew Francis





More information about the Snort-users mailing list