[Snort-users] Code Green???

Larry E. Smith Jr. lsmithjr at ...2789...
Tue Sep 18 08:35:04 EDT 2001


could you guys tell me the signature and what rules file is detecting this
alert?

thanks!

----- Original Message -----
From: "Dushyanth Harinath" <dushy at ...3222...>
To: <snort-users at lists.sourceforge.net>
Sent: Tuesday, September 18, 2001 11:18 AM
Subject: Re: [Snort-users] Code Green???


> well it seems to be everywhere..i have got nearly 800 alerts of the same
type..
>
> > We are getting this also. Very high traffic of this type.
> >
> > On Tue, 2001-09-18 at 09:27, Matthew Francis wrote:
> >> Hi,
> >>
> >> I'm getting LOADS of what looks like New Code Red attacks - Could this
> >> be Code Green???  From one single 'attacking' PC I'm getting the
> >> following log (There's 2 IDS's 1:Internet Facing, 2:DMZ):-
> >>
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
> >> cmd.exe access [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1264 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
> >> cmd.exe access [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1264 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
> >> cmd.exe access [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1275 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
> >> cmd.exe access [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1275 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]: WEB-../..:
> >> {Attacking PC}:1294 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]: WEB-../..:
> >> {Attacking PC}:1304 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1316 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]:
> >> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1316 ->
> >> {Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2}
> >> snort[1472]: spp_http_decode: IIS Unicode attack detected: {Attacking
> >> PC}:1316 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]:
> >> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1316 ->
> >> {Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2}
> >> snort[1472]: WEB-../..: {Attacking PC}:1316 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
> >> cmd.exe access [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1323 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]:
> >> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1323 ->
> >> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS
> >> 1} snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
> >> Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1323 ->
> >> {Destination Server}:80
> >> 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
> >> cmd.exe access [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1331 -> {Destination Server}:80
> >> 18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]:
> >> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1331 ->
> >> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS
> >> 1} snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
> >> Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1341 ->
> >> {Destination Server}:80
> >> 18-09-2001 15:13:56 System0.Alert {IDS 2}    snort[1472]:
> >> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1341 ->
> >> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS
> >> 1} snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
> >> Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1341 ->
> >> {Destination Server}:80
> >> 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
> >> cmd.exe access [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1350 -> {Destination Server}:80
> >> 18-09-2001 15:13:56 System0.Alert {IDS 2}    snort[1472]:
> >> spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1350 ->
> >> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS
> >> 1} snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
> >> Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1350 ->
> >> {Destination Server}:80
> >> 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
> >> 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
> >> 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
> >> 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
> >> 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
> >> 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
> >> multiple decode attempt [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
> >> 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
> >> cmd.exe access [Classification: Attempted User Privilege Gain
> >> Priority: 8]: {Attacking PC}:1395 -> {Destination Server}:80
> >>
> >> Obviously this is a massive log for one 'attack' attempt and I'm
> >> getting this a LOT from all different IP address ranges which are all
> >> standard dial up accounts (the ones I've checked anyway) with what
> >> looks like unpatched IIS servers.
> >>
> >> Anyone shed any light???
> >>
> >> Thanks
> >>
> >> -----
> >> Matthew Francis
>
> --
> First they ignore you,            | Dushyanth Harinath
> then they laugh at you,           | Programmer/SysAdmin
> then they fight you,              | Archean Infotech
> then you win.- Mahatma Gandhi     | http://www.archeanit.com
> (possibly not talking about Linux)|
>
>
> -----------------------------------------
> This email was sent using SquirrelMail.
>    "Webmail for nuts!"
> http://squirrelmail.org/
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list