[Snort-users] Alerts not getting into log

niceshorts at ...131... niceshorts at ...131...
Wed Sep 26 10:25:02 EDT 2001


    I'm getting a few invalid alerts mixed in with all the
    Nimda alerts I am getting.

    Here's an example:

[**] [1:1002:1] WEB-IIS cmd.exe access [**]
[Classification: Attempted User Privilege Gain] [Priority: 8]
09/26-12:20:44.957813 172.16.1.1:4823 -> 172.16.100.100:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:3051
***AP*** Seq: 0x712F912F  Ack: 0x25AC2519  Win: 0x4470  TcpLen: 20

[**] [1:1002:1] WEB-IIS cmd.exe access [**]
[Classification: Attempted User Privilege Gain] [Priority: 8]
09/26-12:20:45.511397 172.16.1.1:4822 -> 172.16.100.100:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:3052
***AP*** Seq: 0x712EE982  Ack: 0x25AB953F  Win: 0x4470  TcpLen: 20

    These alerts do not get logged to the binary snort log.

    Anomalies: TOS has the high order nybble lit up, IP ID field
    is 0, and the length is 3052 bytes.

    Not likely an actual packet but a stream reassembly problem?

    If there is anything I should do, please let me know.

    OS: win2k advanced server
    snort -V

-*> Snort! <*-
Version 1.8-WIN32 (Build 77)
By Martin Roesch (roesch at ...1935..., www.snort.org)
1.7-WIN32 Port By Michael Davis (mike at ...92..., www.datanerds.net/~mike)
1.8-WIN32 Port By Chris Reid (chris.reid at ...3029...)
          (based on code from 1.7 port)

    TIA,

    anthony kim




More information about the Snort-users mailing list