[Snort-users] Interesting alerts.

John Sage jsage at ...2022...
Sun Sep 8 11:42:02 EDT 2002


Jeremy:

On Thu, Sep 05, 2002 at 03:17:52PM -0700, Jeremy Junginger wrote:
> I'm in the process of grooming an IDS, and came across some interesting
> alerts...about 18,000 of them.  I am considering "grooming" this alert
> out, but would like to understand the traffic.  Please provide any
> insights you may have.  I have intentionally left the source IP intact,
> as it is the external IP that the box is connecting to.  Let me know
> what you think.  Thanks,
> 
> ------------------------------------------------------------------------
> #(1 - 44731) [2002-09-05 12:38:18] [Bugtraq/4006]  DOS MSDTC attempt
> IPv4: 66.28.151.197 -> x.x.x.118
>       hlen=5 TOS=0 dlen=1500 ID=37730 flags=0 offset=0 TTL=107
> chksum=48209
> TCP:  port=80 -> dport: 3372  flags=***A**** seq=2626793598
>       ack=3945314208 off=5 res=0 win=16947 urp=0 chksum=34845
> Payload:  length = 1460
> 
> 000 : 43 2B 88 61 6B 80 AB B3 E5 76 5E 50 F8 34 07 41   C+.ak....v^P.4.A
> 010 : A3 09 9C 0A 14 87 E1 89 58 0A BC 00 A4 07 59 CB   ........X.....Y.
> 020 : 40 D4 66 E0 58 2C 90 14 AA AF 00 AD 29 1A 82 D9   @.f.X,......)...
> 030 : D0 95 71 1B 11 22 80 60 48 0D 28 34 FC 5F 49 5C   ..q..".`H.(4._I\
<snippage>

The rule *did* match:

[toot at ...2057... /home/www/html/sys_docs/snort187]# grep 4006 *

dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS
 MSDTC attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006;
 classtype:attempted-dos; sid:1408;  rev:5;)

But...

So, yes, the destination port *was* 3372 and the dsize *was* > 1024;
but, given that the source port is 80, one immediately wonders about
http traffic. The packet payload looks a lot like an img (jpeg, gif..)
file, or a binary...

Let's see:

[toot at ...2057... /]# host 66.28.151.197
Host 197.151.28.66.in-addr.arpa. not found: 3(NXDOMAIN)

[toot at ...2057... /etc/rc.d/init.d]# lynx -head -dump http://66.28.151.197/
HTTP/1.1 200 OK
Date: Sun, 08 Sep 2002 18:17:02 GMT
Server: GameSpy-XFS/1.0
Connection: close
Content-Type: text/html
Accept-Ranges: bytes
Cache-Control: no-cache


"GameSpy"? hmm..


[toot at ...2057... /]# lynx http://66.28.151.197/

FilePlanet Download System -
   _

   FilePlanet Download System
   Currently Downloading
   200 /200
   Waiting to Download
   238
   Estimated Wait
   59 minutes
   This public server is full!
   You can wait in line for an open slot.
   Let's Go
   [BUTTON]
   Why do public servers have lines?
   YOU DON'T HAVE TO WAIT!
   Subscribe to FilePlanet
   Get INSTANT access to dedicated, HIGH-SPEED servers without advertisements!
   advertisement
   Clicking on or refreshing an ad will not disrupt your place in line.


whois?

Registrant:
Critical Mass Gaming Systems (FILEPLANET-DOM)
   2900 S. Bristol St., Suite E204
   Costa Mesa, CA 92626-7908
   US    

Domain Name: FILEPLANET.COM    

Administrative Contact, Technical Contact:
      Andrea Bruns  (CMN2-ORG)hostmaster at ...6854...
      GameSpy Industries
      18002 Skypark Circle
      Irvine, CA 92614-6429
      US
      949-798-4200 Fax- 949-798-4299
      Fax- - 949-798-4299 

   Record expires on 09-Dec-2002.
   Record created on 08-Dec-1997.
   Database last updated on 8-Sep-2002 14:35:58 EDT. 

Domain servers in listed order: 
   NS.GAMESPY.COM               207.38.0.10
   NS2.GAMESPY.COM              207.38.0.11



Ring any bells? Somebody downloading games on your network?


- John
-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-users mailing list