[Snort-users] Reppeated warnings
This is a discussion on [Snort-users] Reppeated warnings within the Snort forums, part of the System Security and Security Related category; Hi, list. I have been watching repeated access attempts to the firewall during a coup= le=20 of days. The ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-12-2004
|
|||
|
|||
[Snort-users] Reppeated warnings
Hi, list.
I have been watching repeated access attempts to the firewall during a coup= le=20 of days. The steps are all the same: [**] [1:1070:6] WEB-MISC WebDAV search access [**] [Classification: access to a potentially vulnerable web application]=20 [Priority: 2] 05/11-12:41:17.335874 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1472 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83875ABE Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS474] [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] [Classification: access to a potentially vulnerable web application]=20 [Priority: 2] 05/11-12:41:17.335874 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1472 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83875ABE Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS474] [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] 05/11-12:41:17.336005 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1473 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x8387604A Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:17.813229 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1579 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x838765D6 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:17.819632 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1580 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83876B62 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:17.826552 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1581 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x838770EE Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:17.832957 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1582 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x8387767A Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.281985 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1660 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83877C06 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.288862 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1661 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83878192 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.295286 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1662 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x8387871E Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.302304 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1663 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83878CAA Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.822478 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1791 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x8387A866 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.829314 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1792 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x8387ADF2 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref =3D> http://www.whitehats.com/info/IDS181] This secuence repeats about 10 more times, from different IPs. I was wondering if this secuence matches any virus behaviour? Regards. =2D-=20 =2D------------------------------------------------------------------------= =2D------- Manuel Balderr=E1bano e-mail: garibolo@wanadoo.es =2D------------------------------------------------------------------------= =2D------- ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg...rom=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
