[Snort-users] cmd.exe? in packets that look normal
pauls at ...6838...
Thu Jul 10 15:40:18 EDT 2003
I rewrote the rule that looks for cmd.exe (sid:1002 in web-iis.rules) to
look for outgoing traffic *from* our network, and I changed the content
from "cmd.exe" to "cmd.exe?" to lessen the FPs.
This rule now works very well for catching boxes on our network that get
infected with Code Red or Nimda - mostly from our student residences.
However, I'm seeing a lot of packets like this (yes, I know "a lot" is a
relative term), in fact, *most* of the packets that trip this rule look
like this (I munged the src ip):
length = 536
le; MSIE 5.01; W
Aside from the obvious, these look like perfectly normal web sessions. Is
anyone else seeing this? Anyone have any ideas what it is? It's too
random to really be Code Red/Nimda, but it's an obvious Code Red/Nimda sig.
Is this something retained in memory that ends up in a packet going out?
Infected boxes usually spew hundreds of these, but these just show up here
and there, from different IPs all over our network.
And before anyone asks, yes, this box is running IIS 5.0, and yes it's
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-users