[Snort-users] Current Attack...

Vadim Pushkin wiskbroom at ...125...
Tue May 7 07:18:11 EDT 2002


Greets

I am receiving ALOT of complaints recently from one of my sensors.
HOwever, when I view the payload, using ACID, I get a different
IP address from the one that shows up as the source IP. Also,
what would cause MySQL to barf at an attempt to enter this data
into itself?

Thanks,

Vadim


My Pay_Load:

#(2 - 35923) [2002-05-07 08:59:12]  ICMP Destination Unreachable 
(Fragmentation Needed and DF bit was set)
IPv4: 163.13.1.11 -> xxx.yyy.zzz.111 (I changed this on purpose)
      hlen=5 TOS=0 dlen=56 ID=10053 flags=0 offset=0 TTL=46 chksum=31997
ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set
      checksum=41848 id= seq=
Payload:  length = 32

000 : 00 00 05 D4 45 00 05 DC 27 45 40 00 F0 06 75 38   ....E...'E at ...5798...
010 : 3F 42 05 29 A3 0D 01 26 F0 D2 00 19 81 C4 E0 FE   ?B.)...&........

FROM_SENSOR:

May  7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' 
for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('2', 
'35923', '34', '2002-05-07 05:52:37+00')
May  7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' 
for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('2', 
'35923', '34', '2002-05-07 05:52:37+00')
May  7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' 
for key 1 SQL=INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, 
icmp_csum) VALUES ('2','35923','3','4','41848')
May  7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' 
for key 1 SQL=INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, 
icmp_csum) VALUES ('2','35923','3','4','41848')
May  7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' 
for key 1 SQL=INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver,ip_hlen, 
ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES 
('2','35923','2735538443','1061291305','4','5','0','56','10056','0','0','46','1','31994')
May  7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' 
for key 1 SQL=INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver,ip_hlen, 
ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES 
('2','35923','2735538443','1061291305','4','5','0','56','10056','0','0','46','1','31994')
May  7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' 
for key 1 SQL=INSERT INTO data (sid,cid,data_payload) VALUES 
('2','35923','000005D4450005DC27484000F00675353F420529A30D0126F0D2001981C4E0FE')
May  7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' 
for key 1 SQL=INSERT INTO data (sid,cid,data_payload) VALUES 
('2','35923','000005D4450005DC27484000F00675353F420529A30D0126F0D2001981C4E0FE')


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx





More information about the Snort-users mailing list