[Snort-users] More nonexistent alerts

niceshorts at ...131... niceshorts at ...131...
Wed Sep 26 15:58:02 EDT 2001


    Hi snorters!

    I have upgraded my W2K box to Silicon Defense's build
    1.8.1b78 and we keep getting strange invalid alerts.

    The 2nd & 4th alert below again shows a bit lit in the high
    order nybble of the TOS field, a zero window size,
    and unlikely Ack byte numbers.

    Note how 2 & 4 do not have the DF bit.

    And these alerts do NOT log to the binary log.

    I am at a loss to explain it.

    -anthony kim

[from alert.ids]

[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
09/26-21:27:16.929281 205.200.66.174:3725 -> 172.16.100.100:80
TCP TTL:112 TOS:0x0 ID:40608 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x8C7773DD  Ack: 0x5C3C1B10  Win: 0x2238  TcpLen: 20

[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
09/26-21:27:17.239170 205.200.66.174:3725 -> 172.16.100.100:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:137
***AP*** Seq: 0x8C77743E  Ack: 0xC51DE392  Win: 0x0  TcpLen: 20

[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
09/26-21:27:17.714444 205.200.66.174:3745 -> 172.16.100.100:80
TCP TTL:112 TOS:0x0 ID:10657 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x8C7D5E58  Ack: 0x5C3FEF9D  Win: 0x2238  TcpLen: 20

[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
09/26-21:27:18.124452 205.200.66.174:3745 -> 172.16.100.100:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:137
***AP*** Seq: 0x8C7D5EB9  Ack: 0x0  Win: 0x0  TcpLen: 20

[from snort.log]

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/26-16:27:16.929281 0:A0:8E:B:5B:99 -> 0:50:8B:E1:E4:61 type:0x800 len:0x97
205.200.66.174:3725 -> 172.16.100.100:80 TCP TTL:112 TOS:0x0 ID:40608 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x8C7773DD  Ack: 0x5C3C1B10  Win: 0x2238  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
63 31 25 31 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79  c1%1c../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/cmd.exe?/
63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A  c+dir HTTP/1.0..
48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E  Host: www..Connn
65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D  ection: close...
0A                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/26-16:27:17.714444 0:A0:8E:B:5B:99 -> 0:50:8B:E1:E4:61 type:0x800 len:0x97
205.200.66.174:3745 -> 172.16.100.100:80 TCP TTL:112 TOS:0x0 ID:10657 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x8C7D5E58  Ack: 0x5C3FEF9D  Win: 0x2238  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
63 30 25 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79  c0%2f../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/cmd.exe?/
63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A  c+dir HTTP/1.0..
48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E  Host: www..Connn
65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D  ection: close...
0A                                               .

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




More information about the Snort-users mailing list