[Snort-users] Dropped packets again

Lay, James james.lay at ...15009...
Tue Nov 23 18:44:35 EST 2010


Hey folks.

 

So again...doing my job and I see a spat of sid 17645:

 

11/23-16:20:50.583059  [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580

11/23-16:20:50.625051  [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580

11/23-16:28:32.188567  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.937516  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.942511  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.948508  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.954510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.959510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.965509  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.971510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:30:02.942794  [**] [1:15213010:1] ET WEB_CLIENT PDF Name
Representation Obfuscation of /OpenAction [**] [Classification:
Potentially Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 ->
10.21.0.16:34763

11/23-16:30:02.942794  [**] [1:15213001:1] ET WEB_CLIENT PDF Name
Representation Obfuscation of /Subtype [**] [Classification: Potentially
Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 -> 10.21.0.16:34763

 

Checking my pcapdump file I get:

 

16:20:50.583059 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack
3547191753, win 65535, length 1400

16:20:50.625051 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack 1,
win 65535, length 1400

16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
1493254297, win 48593, length 1380

16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
1, win 48593, length 1380

 

SID 17645 is completely missing.  I recall sending this to the list a
while ago...I've recompiled things..and still it seems certain SIDS seem
left out of the packet captures.  There are no errors on the
interfaces...lot's of free memory, and CPU is pretty minimal.  What else
can I check?  I'm I just out of luck now?  Thanks.

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 5238 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101123/5abb30cf/attachment.bin>


More information about the Snort-users mailing list