[Snort-users] Dropped packets again

Joel Esler jesler at ...1935...
Tue Nov 23 21:02:07 EST 2010


James,

Thanks for writing in, we'll take a look.

Anyway you can pass us a full-session pcap of the activity?  I don't know if you do full packet capture as well, but if you could send us that, that'd be the way to go so we can research this properly.

Thanks.

Joel

On Nov 23, 2010, at 6:44 PM, Lay, James wrote:

> Hey folks.
> 
> 
> 
> So again...doing my job and I see a spat of sid 17645:
> 
> 
> 
> 11/23-16:20:50.583059  [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
> 6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
> Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580
> 
> 11/23-16:20:50.625051  [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
> 6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
> Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580
> 
> 11/23-16:28:32.188567  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
> 
> 11/23-16:28:32.937516  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
> 
> 11/23-16:28:32.942511  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
> 
> 11/23-16:28:32.948508  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
> 
> 11/23-16:28:32.954510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
> 
> 11/23-16:28:32.959510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
> 
> 11/23-16:28:32.965509  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
> 
> 11/23-16:28:32.971510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
> 
> 11/23-16:30:02.942794  [**] [1:15213010:1] ET WEB_CLIENT PDF Name
> Representation Obfuscation of /OpenAction [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 ->
> 10.21.0.16:34763
> 
> 11/23-16:30:02.942794  [**] [1:15213001:1] ET WEB_CLIENT PDF Name
> Representation Obfuscation of /Subtype [**] [Classification: Potentially
> Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 -> 10.21.0.16:34763
> 
> 
> 
> Checking my pcapdump file I get:
> 
> 
> 
> 16:20:50.583059 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack
> 3547191753, win 65535, length 1400
> 
> 16:20:50.625051 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack 1,
> win 65535, length 1400
> 
> 16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
> 1493254297, win 48593, length 1380
> 
> 16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
> 1, win 48593, length 1380
> 
> 
> 
> SID 17645 is completely missing.  I recall sending this to the list a
> while ago...I've recompiled things..and still it seems certain SIDS seem
> left out of the packet captures.  There are no errors on the
> interfaces...lot's of free memory, and CPU is pretty minimal.  What else
> can I check?  I'm I just out of luck now?  Thanks.
> 
> 
> 
> James Lay
> 
> IT Security Analyst
> 
> WinCo Foods
> 
> 208-672-2014 Office
> 
> 208-559-1855 Cell
> 
> 650 N Armstrong Pl.
> 
> Boise, Idaho 83704
> 
> 
> 
> <winmail.dat>------------------------------------------------------------------------------
> Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
> Tap into the largest installed PC base & get more eyes on your game by
> optimizing for Intel(R) Graphics Technology. Get started today with the
> Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
> http://p.sf.net/sfu/intelisp-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list