[Snort-users] Snort alerts caused by possible legit traffic?

John Sage jsage at ...2022...
Sat Jun 7 12:00:28 EDT 2003


On Sat, Jun 07, 2003 at 03:54:48AM -0400, NismoSkyline wrote:
> Alot of machines using the same ISP as me, have been setting off snort like shown below. Is it possible this is legit traffic?
> 
> [**] [1:1002:5] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 06/06-05:46:18.582271 attackerIP:2074 -> myIP:80
> TCP TTL:117 TOS:0x0 ID:2119 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0x235969AC  Ack: 0xAB4D7465  Win: 0x4470  TcpLen: 20

No. Just extremely common.

Given:

[jsage at ...8592... /usr/local/snort-2.0.0/rules] $ grep 'WEB-IIS cmd.exe' *
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS cmd.exe access"; flow:to_server,established;
content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002;
rev:5;)

You get different variations on:

input: snort.log-May.26.16:04
filter: ip and ( dst port 80 )
match: cmd.exe
##############
T 2003/05/25 16:12:12.696621 12.216.246.144:1482 -> 12.82.128.43:80 [AP]
  47 45 54 20 2f 63 2f 77    69 6e 6e 74 2f 73 79 73    GET /c/winnt/sys
  74 65 6d 33 32 2f 63 6d    64 2e 65 78 65 3f 2f 63    tem32/cmd.exe?/c
  2b 64 69 72 20 48 54 54    50 2f 31 2e 30 0d 0a 48    +dir HTTP/1.0..H
  6f 73 74 3a 20 77 77 77    0d 0a 43 6f 6e 6e 6e 65    ost: www..Connne
  63 74 69 6f 6e 3a 20 63    6c 6f 73 65 0d 0a 0d 0a    ction: close....
######

by the billions...


- John
-- 
"You are in a twisty maze of weblogs, all alike."

See our all-new look! http://www.finchhaven.com/




More information about the Snort-users mailing list