[Snort-users] Re: possible exploit
Robert T Wyatt
robert.wyatt at ...3045...
Thu Feb 16 20:02:12 EST 2006
Robert T Wyatt wrote:
> Frank Knobbe wrote:
>> Your Snort didn't alert on that? Mine do all the time. It's SID 1250
>> (web-misc.rules). You might want to check your config to see if this
>> rule file is loaded and to ensure you don't miss other sigs too.
> Patrick S. Harper wrote:
> > Old Cisco exploit. I saw a bunch of them not too long ago.
> > http://isc.sans.org/diary.php?storyid=1104
> Thanks folks, I think it must have happened right when I was restarting
> snort after a rule update.
> I will watch for this in the future to ensure that my setup is correct.
My Snort is working fine; it really must have happened right as I was
restarting the application that day.
[**] [1:1250:13] WEB-MISC Cisco IOS HTTP configuration attempt [**]
[Classification: Web Application Attack] [Priority: 1]
02/16-17:31:44.420752 22.214.171.124:3763 -> 126.96.36.199:80
TCP TTL:112 TOS:0x0 ID:54368 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0xFD838C6F Ack: 0xCC3D1484 Win: 0xFAF0 TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10700][Xref =>
More information about the Snort-users