Snort mailing list archives
RE: IDS254 False positive?
From: Steve Halligan <agent33 () geeksquad com>
Date: Tue, 22 May 2001 13:37:25 -0500
This is simply a webserver on port 80 replying to you. You just happen to be using the same port the shaft client uses. These rules stink, 'cause of just this reason. They really need content filters. -Steve
-----Original Message----- From: Bob Bernstein [mailto:bob () ruptured-duck com] Sent: Tuesday, May 22, 2001 1:06 PM To: snort-users () lists sourceforge net Subject: [Snort-users] IDS254 False positive? This seems worth passing on: From my snort alert file: 05/21/01-19:38:54.378223 [**] IDS254/ddos-shaft-client-to-handler [**] 152.163.180.24:80 -> nnn.my.ip.nnn:20432 05/21/01-19:38:54.421968 [**] IDS254/ddos-shaft-client-to-handler [**] 152.163.180.24:80 -> nnn.my.ip.nnn:20432 05/21/01-19:38:54.455919 [**] IDS254/ddos-shaft-client-to-handler [**] 152.163.180.24:80 -> nnn.my.ip.nnn:20432 05/21/01-19:38:54.478080 [**] IDS254/ddos-shaft-client-to-handler [**] 152.163.180.24:80 -> nnn.my.ip.nnn:20432 05/21/01-19:38:54.478154 [**] IDS254/ddos-shaft-client-to-handler [**] 152.163.180.24:80 -> nnn.my.ip.nnn:20432 But: /var/log/snort# nslookup 152.163.180.24 Server: localhost Address: 127.0.0.1 Name: ads.web.aol.com Address: 152.163.180.24 Is there anything useful to be gleaned from the tcpdump of the packets? Also, should something like this be passed along to whitehats.com or someplace else? --- snip --- 19:38:54.378223 152.163.180.24.80 > nnn.my.ip.nnn.20432: S 2715353362:2715353362(0) ack 21240968 win 16384 <mss 1360> 19:38:54.421968 152.163.180.24.80 > nnn.my.ip.nnn.20432: P 1:1056(1055) ack 155 win 16384 19:38:54.455919 4:47:0:0:0:0 0:0:0:0:45:10 ff06 1099: 77e2 98a3 b418 4102 c0df 0050 4fd0 1301 d9a1 1301 d9a1 5018 2111 cfc6 0000 4854 5450 2f31 2e30 2033 3032 2046 6f75 6e64 0d0a 5072 6167 6d61 3a20 6e6f 2d63 6163 6865 0d0a 4361 6368 652d 436f 6e74 726f 6c3a 206e 6f2d 6361 6368 650d 0a45 7870 6972 6573 3a20 4d6f 6e2c 2032 3120 4d61 7920 3230 3031 2032 333a 3338 3a35 3420 474d 540d 0a53 6574 2d43 6f6f 6b69 653a 2062 6164 7363 3d42 3076 4659 3432 704b 5557 3945 3441 2d4a 5959 6a71 4535 3665 6b5a 4b38 7268 6f50 4c38 616c 6873 3530 5669 5341 3448 6f6b 5435 3668 3666 6a62 6b4a 5751 666b 5a72 4438 685f 7869 7464 4563 7479 6339 5959 4f6e 6d7a 7172 636b 7a4e 334f 6751 7069 323b 7061 7468 3d2f 6c69 6e6b 2f37 3030 3937 3933 0d0a 4c6f 6361 7469 6f6e 3a20 6874 7470 3a2f 2f61 6473 2e77 6562 2e61 6f6c 2e63 6f6d 2f63 6f6e 7465 6e74 2f42 302f 302f 394d 6658 3358 3643 4f6d 6e4f 7356 4d47 574e 5952 5836 4d35 7669 5676 5169 5439 7039 3237 4879 7455 6863 7930 3836 6541 7536 5873 416b 6a5a 7a48 444c 6b52 3036 4e57 4164 6f6c 635f 5f70 6555 4c4e 745a 4b32 4345 6a51 3334 4433 4847 4e37 3867 6635 6549 6750 794a 4730 6324 2f61 6f6c 0d0a 4461 7465 3a20 4d6f 6e2c 2032 3120 4d61 7920 3230 3031 2032 333a 3338 3a35 3420 474d 540d 0a43 6f6e 7465 6e74 2d4c 656e 6774 683a 2035 3730 0d0a 436f 6e74 656e 742d 5479 7065 3a20 7465 7874 2f68 746d 6c0d 0a0d 0a3c 6874 6d6c 3e3c 6865 6164 3e3c 7469 746c 653e 5265 6469 7265 6374 696f 6e3c 2f74 6974 6c65 3e3c 2f68 6561 643e 3c62 6f64 793e 3c68 313e 5265 6469 7265 6374 696f 6e3c 2f68 313e 0d0a 3c68 723e 5468 6520 6c6f 6361 7469 6f6e 206f 6620 7468 6520 7265 7175 6573 7465 6420 5552 4c20 6861 7320 6d6f 7665 6420 746f 203c 6120 6872 6566 3d22 6874 7470 3a2f 2f61 6473 2e77 6562 2e61 6f6c 2e63 6f6d 2f63 6f6e 7465 6e74 2f42 302f 302f 394d 6658 3358 3643 4f6d 6e4f 7356 4d47 574e 5952 5836 4d35 7669 5676 5169 5439 7039 3237 4879 7455 6863 7930 3836 6541 7536 5873 416b 6a5a 7a48 444c 6b52 3036 4e57 4164 6f6c 635f 5f70 6555 4c4e 745a 4b32 4345 6a51 3334 4433 4847 4e37 3867 6635 6549 6750 794a 4730 6324 2f61 6f6c 223e 6874 7470 3a2f 2f61 6473 2e77 6562 2e61 6f6c 2e63 6f6d 2f63 6f6e 7465 6e74 2f42 302f 302f 394d 6658 3358 3643 4f6d 6e4f 7356 4d47 574e 5952 5836 4d35 7669 5676 5169 5439 7039 3237 4879 7455 6863 7930 3836 6541 7536 5873 416b 6a5a 7a48 444c 6b52 3036 4e57 4164 6f6c 635f 5f70 6555 4c4e 745a 4b32 4345 6a51 3334 4433 4847 4e37 3867 6635 6549 6750 794a 4730 6324 2f61 6f6c 3c2f 613e 2041 6e79 206d 6f64 6572 6e20 6272 6f77 7365 7220 7769 6c6c 2061 7574 6f6d 6174 6963 616c 6c79 2068 616e 646c 6520 6120 7265 6469 7265 6374 696f 6e20 666f 7220 796f 752e 2020 4966 2079 6f75 2061 7265 2072 6561 6469 6e67 2074 6869 7320 7061 6765 2c20 796f 7520 7368 6f75 6c64 2075 7067 7261 6465 2e3c 2f62 6f64 793e 3c2f 6874 6d6c 3e0d 0a 19:38:54.478080 152.163.180.24.80 > nnn.my.ip.nnn.20432: F 1056:1056(0) ack 155 win 16384 19:38:54.478154 152.163.180.24.80 > nnn.my.ip.nnn.20432: F 1056:1056(0) ack 156 win 16384 --- snip --- Best regards, -- Bob Bernstein at Esmond, R.I., USA _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS254 False positive? Bob Bernstein (May 22)
- RE: IDS254 False positive? Fernando Cardoso (May 22)
- <Possible follow-ups>
- RE: IDS254 False positive? Steve Halligan (May 22)
- Re: IDS254 False positive? Bob Bernstein (May 22)