[Snort-users] Code Green???

Dushyanth Harinath dushy at ...3222...
Tue Sep 18 08:29:02 EDT 2001


well it seems to be everywhere..i have got nearly 800 alerts of the same type..

> We are getting this also. Very high traffic of this type. 
> 
> On Tue, 2001-09-18 at 09:27, Matthew Francis wrote:
>> Hi,
>> 
>> I'm getting LOADS of what looks like New Code Red attacks - Could this
>> be Code Green???  From one single 'attacking' PC I'm getting the
>> following log (There's 2 IDS's 1:Internet Facing, 2:DMZ):-
>> 
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
>> cmd.exe access [Classification: Attempted User Privilege Gain  
>> Priority: 8]: {Attacking PC}:1264 -> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
>> cmd.exe access [Classification: Attempted User Privilege Gain  
>> Priority: 8]: {Attacking PC}:1264 -> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
>> cmd.exe access [Classification: Attempted User Privilege Gain  
>> Priority: 8]: {Attacking PC}:1275 -> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
>> cmd.exe access [Classification: Attempted User Privilege Gain  
>> Priority: 8]: {Attacking PC}:1275 -> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
>> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: WEB-../..:
>> {Attacking PC}:1294 -> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
>> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: WEB-../..:
>> {Attacking PC}:1304 -> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1316 -> {Destination Server}:80
>> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
>> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1316 ->
>> {Destination Server}:80 18-09-2001	15:13:55	System0.Alert	{IDS 2}	  
>> snort[1472]: spp_http_decode: IIS Unicode attack detected: {Attacking
>> PC}:1316 -> {Destination Server}:80
>> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
>> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1316 ->
>> {Destination Server}:80 18-09-2001	15:13:55	System0.Alert	{IDS 2}	  
>> snort[1472]: WEB-../..: {Attacking PC}:1316 -> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
>> cmd.exe access [Classification: Attempted User Privilege Gain  
>> Priority: 8]: {Attacking PC}:1323 -> {Destination Server}:80
>> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
>> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1323 ->
>> {Destination Server}:80 18-09-2001	15:13:55	Auth.Alert	{IDS
>> 1}	snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
>> Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1323 ->
>> {Destination Server}:80
>> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
>> cmd.exe access [Classification: Attempted User Privilege Gain  
>> Priority: 8]: {Attacking PC}:1331 -> {Destination Server}:80
>> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
>> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1331 ->
>> {Destination Server}:80 18-09-2001	15:13:56	Auth.Alert	{IDS
>> 1}	snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
>> Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1341 ->
>> {Destination Server}:80
>> 18-09-2001	15:13:56	System0.Alert	{IDS 2}	   snort[1472]:
>> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1341 ->
>> {Destination Server}:80 18-09-2001	15:13:56	Auth.Alert	{IDS
>> 1}	snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
>> Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1341 ->
>> {Destination Server}:80
>> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
>> cmd.exe access [Classification: Attempted User Privilege Gain  
>> Priority: 8]: {Attacking PC}:1350 -> {Destination Server}:80
>> 18-09-2001	15:13:56	System0.Alert	{IDS 2}	   snort[1472]:
>> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1350 ->
>> {Destination Server}:80 18-09-2001	15:13:56	Auth.Alert	{IDS
>> 1}	snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
>> Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1350 ->
>> {Destination Server}:80
>> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
>> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
>> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
>> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
>> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
>> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
>> multiple decode attempt [Classification: Attempted User Privilege Gain
>> Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
>> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
>> cmd.exe access [Classification: Attempted User Privilege Gain  
>> Priority: 8]: {Attacking PC}:1395 -> {Destination Server}:80
>> 
>> Obviously this is a massive log for one 'attack' attempt and I'm
>> getting this a LOT from all different IP address ranges which are all
>> standard dial up accounts (the ones I've checked anyway) with what
>> looks like unpatched IIS servers.
>> 
>> Anyone shed any light???
>> 
>> Thanks
>> 
>> -----
>> Matthew Francis

-- 
First they ignore you,            | Dushyanth Harinath  
then they laugh at you,           | Programmer/SysAdmin
then they fight you,              | Archean Infotech
then you win.- Mahatma Gandhi     | http://www.archeanit.com 
(possibly not talking about Linux)|


-----------------------------------------
This email was sent using SquirrelMail.
   "Webmail for nuts!"
http://squirrelmail.org/






More information about the Snort-users mailing list