[Snort-users] Oddness with 16295

Joel Esler jesler at ...1935...
Thu Nov 11 12:51:29 EST 2010


Hard to diagnose this one. How are you logging with Snort? Unified? Tcpdump?

--
Sent from my iPad

On Nov 11, 2010, at 12:43 PM, "Lay, James" <james.lay at ...15009...> wrote:

> Bump…no takers on this?
> 
>  
> 
> From: Lay, James [mailto:james.lay at ...15009...] 
> Sent: Wednesday, November 10, 2010 10:52 AM
> To: snort-users at lists.sourceforge.net
> Subject: Oddness with 16295
> 
>  
> 
> So this is weird….looking at this hit:
> 
>  
> 
> 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385
> 
>  
> 
> Fairly certain it’s an fp, but…when I hit the pcap dump file, it doesn’t show….here’s consecutive hits in the alert file:
> 
>  
> 
> 11/10-10:37:25.096951  [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185
> 
> 11/10-10:37:25.131950  [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185
> 
> 11/10-10:38:18.976338  [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385
> 
> 11/10-10:39:35.643464  [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 66.211.180.40:80
> 
>  
> 
> And from the pcapfile:
> 
> sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395
> 
> 10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1081895485, win 4789, length 1400
> 
> 10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1, win 4789, length 1400
> 
> 10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack 2261207081, win 65535, length 536
> 
>  
> 
> So where did 16295 go?  A quick check for that IP gives nothing:
> 
> [10:48:24 jlay at ...15049...:~/log$] sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395 ip and host 204.11.109.23
> 
> reading from file internettcpdump.pcap.1289401395, link-type EN10MB (Ethernet)
> 
> [10:50:21 jlay at ...15049...:~/log$]
> 
>  
> 
> James Lay
> 
> IT Security Analyst
> 
> WinCo Foods
> 
> 208-672-2014 Office
> 
> 208-559-1855 Cell
> 
> 650 N Armstrong Pl.
> 
> Boise, Idaho 83704
> 
>  
> 
> ------------------------------------------------------------------------------
> Centralized Desktop Delivery: Dell and VMware Reference Architecture
> Simplifying enterprise desktop deployment and management using
> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
> client virtualization framework. Read more!
> http://p.sf.net/sfu/dell-eql-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101111/450b5fef/attachment.html>


More information about the Snort-users mailing list