[Snort-users] Dropped packets again

rmkml rmkml at ...1855...
Tue Nov 23 19:06:04 EST 2010


Hi James,
It is possible record your network trafic with tcpdump/tshark/wireshark/snort/daemonlogger... for testing please? (with full snap length of course)
"restart" your snort and search if you have new alert for sid 17645?
if yes, stop tcpdump, and search on your pcap with ipsrc/dst+portsrc/dst your snort alerts...
ok?
Regards
Rmkml



On Tue, 23 Nov 2010, Lay, James wrote:

> Hey folks.
>
>
>
> So again...doing my job and I see a spat of sid 17645:
>
>
>
> 11/23-16:20:50.583059  [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
> 6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
> Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580
>
> 11/23-16:20:50.625051  [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
> 6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
> Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580
>
> 11/23-16:28:32.188567  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.937516  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.942511  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.948508  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.954510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.959510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.965509  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.971510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:30:02.942794  [**] [1:15213010:1] ET WEB_CLIENT PDF Name
> Representation Obfuscation of /OpenAction [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 ->
> 10.21.0.16:34763
>
> 11/23-16:30:02.942794  [**] [1:15213001:1] ET WEB_CLIENT PDF Name
> Representation Obfuscation of /Subtype [**] [Classification: Potentially
> Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 -> 10.21.0.16:34763
>
>
>
> Checking my pcapdump file I get:
>
>
>
> 16:20:50.583059 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack
> 3547191753, win 65535, length 1400
>
> 16:20:50.625051 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack 1,
> win 65535, length 1400
>
> 16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
> 1493254297, win 48593, length 1380
>
> 16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
> 1, win 48593, length 1380
>
>
>
> SID 17645 is completely missing.  I recall sending this to the list a
> while ago...I've recompiled things..and still it seems certain SIDS seem
> left out of the packet captures.  There are no errors on the
> interfaces...lot's of free memory, and CPU is pretty minimal.  What else
> can I check?  I'm I just out of luck now?  Thanks.
>
>
>
> James Lay
>
> IT Security Analyst
>
> WinCo Foods
>
> 208-672-2014 Office
>
> 208-559-1855 Cell
>
> 650 N Armstrong Pl.
>
> Boise, Idaho 83704
>
>
>
>




More information about the Snort-users mailing list