[Snort-users] "id command attempt" malformed packet

Abe Wagner abewagner at ...125...
Sat May 11 20:07:16 EDT 2002


Hi,
Recently I have been logging a lot of "id command attempt" attacks.  When I 
examine the alert log, it looks very normal, with identified source and 
destination ip addresses and tcp ports.  However, when I look into the 
packet, almost no relevant information seems to be there.  If I look into 
the "Trailer" information, I can see the data "fc 30 00 50" which I surmise 
is the source and destination ports of 64560 and 80.

I am logging thousands of other packets daily and they are all showing up 
very nicely in the tcpdump -- but not the packets from the "id command 
attempt" type of attack.  If these packets really don't contain my ip 
address, how do they get to my server?  Or is some sort of logging error?  I 
have watched the attacks increase in number and frequency over the last 
several weeks and I am getting nervous...

Thanks,
Abe

ps. I am using snort 1.8.3 on W2K.


-----Alert generated by snort

05/07-23:37:35.723647  [**] [1:1333:1] WEB-ATTACKS id command attempt [**] 
[Classification: Web Application Attack] [Priority: 1] {TCP} 
24.100.12.135:64560 -> xxx.xxx.xxx.xxx:80



-----Packet captured by snort tcpdump, viewed by Ethereal

Frame 2190 (676 on wire, 676 captured)
    Arrival Time: May  7, 2002 23:37:35.723647000
    Time delta from previous packet: 457.393350000 seconds
    Time relative to first packet: 112488.865603000 seconds
    Frame Number: 2190
    Packet Length: 676 bytes
    Capture Length: 676 bytes
IEEE 802.3 Ethernet
    Destination: 00:00:00:00:00:00 (XEROX_00:00:00)
    Source: 00:00:00:00:00:00 (XEROX_00:00:00)
    Length: 0
    Trailer: 00000000000000000000000000000000...
[Malformed Packet: LLC]

0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0160  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0170  fc 30 00 50 14 19 98 0d 6d 72 00 ee 50 18 3b d4   .0.P....mr..P.;.
0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0220  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0230  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0250  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0260  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0280  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0290  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
02a0  00 00 00 00                                       ....



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx





More information about the Snort-users mailing list