Security Incidents mailing list archives

Re: Now the kiddiez started playing

From: Sven Carstens <s.carstens () gmx de>
Date: Sun, 5 Aug 2001 22:58:42 +0200 (CEST)

Am Sun, 05 Aug 2001 schrieb Sven Carstens <s.carstens () gmx de>:

Just sitting here and enjoying my new snort rules.
Then a packet that reports not the codered variant
but the plain old .ida access warning.

The mandatory look into the payload reveals:
  the next variant

Only occurance twice from the same ip-adress to the same ip-adress.
The relatively quick check reveals a dial-up system that claims to use
an apache server and SuSE-Linux.

Reported him to the provider and we'll see what happens


Seems not the script kiddiez are playing after all!
It's just snort getting tired and needing a rest ?
The double check with the apache logfiles showed that on the exact time
from the exact ip a regular user was just browsing the regular web pages.

Will now treat myself (but not snort) with some sleep.

CU Sven


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Now the kiddiez started playing Sven Carstens (Aug 05)
- Re: Now the kiddiez started playing Sven Carstens (Aug 05)
- Re: Now the kiddiez started playing Nick FitzGerald (Aug 07)
- <Possible follow-ups>
- Re: Now the kiddiez started playing Ric Pa (Aug 05)
  - Re: Now the kiddiez started playing Patrick Oonk (Aug 06)
  - Re: Now the kiddiez started playing macdaddy (Aug 06)