[Snort-users] Aurora Exploit Attempt Alert One Hour Delay

James Lay jlay at ...13475...
Thu Jan 23 18:03:47 EST 2014


On 2014-01-23 15:22, Latonya Hall wrote:
> 01/23/14-10:21:11.663009 [**] [1:26569:3] BROWSER-IE Microsoft
> Internet Explorer null object access attempt [**] [Classification:
> Attempted User Privilege Gain] [Priority: 1] {TCP} 192.168.2.172:8080
> [18] -> 192.168.2.224:1081 [19]
> On Jan 23, 2014 5:09 PM, "Mike Miller" <mike at ...16027...
> [20]> wrote:
>
>> Whats the SID for the rule?
>>
>> On Thu, Jan 23, 2014 at 2:41 PM, Latonya Hall <lhall at ...16550... [17]>
>> wrote:
>>
>>> I am tailing the file.
>>>
>>> On Jan 23, 2014 4:28 PM, "Mike Miller" <mike at ...16027...
>>> [16]> wrote:
>>>

For what it's worth I see this sometimes as well when tailing the .fast 
file...usually after a burst of alerts.  Interestingly the alert id in 
my sguil console shows the earlier alert incremented correctly.

James




More information about the Snort-users mailing list