[Snort-users] Reppeated warnings

Manuel Balderrábano garibolo at ...3145...
Wed May 12 02:37:01 EDT 2004


Hi, list.

I have been watching repeated access attempts to the firewall during a couple 
of days.

The steps are all the same:

[**] [1:1070:6] WEB-MISC WebDAV search access [**]
[Classification: access to a potentially vulnerable web application] 
[Priority: 2]
05/11-12:41:17.335874 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1472 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83875ABE  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS474]

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
[Classification: access to a potentially vulnerable web application] 
[Priority: 2]
05/11-12:41:17.335874 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1472 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83875ABE  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS474]

[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
05/11-12:41:17.336005 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1473 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x8387604A  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:17.813229 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1579 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x838765D6  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:17.819632 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1580 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83876B62  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:17.826552 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1581 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x838770EE  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:17.832957 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1582 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x8387767A  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.281985 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1660 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83877C06  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.288862 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1661 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83878192  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.295286 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1662 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x8387871E  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.302304 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1663 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83878CAA  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.822478 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1791 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x8387A866  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.829314 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1792 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x8387ADF2  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

This secuence repeats about 10 more times, from different IPs.

I was wondering if this secuence matches any virus behaviour?

Regards.

-- 
---------------------------------------------------------------------------------
Manuel Balderrábano

e-mail: garibolo at ...3145...
---------------------------------------------------------------------------------





More information about the Snort-users mailing list