[Snort-users] Re: possible exploit

Robert T Wyatt robert.wyatt at ...3045...
Thu Feb 16 20:02:12 EST 2006


Robert T Wyatt wrote:
> Frank Knobbe wrote:
>> Your Snort didn't alert on that? Mine do all the time. It's SID 1250
>> (web-misc.rules). You might want to check your config to see if this
>> rule file is loaded and to ensure you don't miss other sigs too.
> 
> Patrick S. Harper wrote:
>  > Old Cisco exploit.  I saw a bunch of them not too long ago.
>  >
>  > http://isc.sans.org/diary.php?storyid=1104
> 
> Thanks folks, I think it must have happened right when I was restarting 
> snort after a rule update.
> 
> I will watch for this in the future to ensure that my setup is correct.
> 


My Snort is working fine; it really must have happened right as I was 
restarting the application that day.

[**] [1:1250:13] WEB-MISC Cisco IOS HTTP configuration attempt [**]
[Classification: Web Application Attack] [Priority: 1]
02/16-17:31:44.420752 80.192.40.254:3763 -> 66.90.146.246:80
TCP TTL:112 TOS:0x0 ID:54368 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0xFD838C6F  Ack: 0xCC3D1484  Win: 0xFAF0  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10700][Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0537][Xref => 
http://www.securityfocus.com/bid/2936]




More information about the Snort-users mailing list