Snort mailing list archives

Re: Code Green???

From: "Larry E. Smith Jr." <lsmithjr () monster-solutions net>
Date: Tue, 18 Sep 2001 11:34:07 -0400

could you guys tell me the signature and what rules file is detecting this
alert?

thanks!

----- Original Message -----
From: "Dushyanth Harinath" <dushy () archeanit com>
To: <snort-users () lists sourceforge net>
Sent: Tuesday, September 18, 2001 11:18 AM
Subject: Re: [Snort-users] Code Green???

well it seems to be everywhere..i have got nearly 800 alerts of the same

type..

We are getting this also. Very high traffic of this type.

On Tue, 2001-09-18 at 09:27, Matthew Francis wrote:

Hi,

I'm getting LOADS of what looks like New Code Red attacks - Could this
be Code Green???  From one single 'attacking' PC I'm getting the
following log (There's 2 IDS's 1:Internet Facing, 2:DMZ):-

18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1264 -> {Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1264 -> {Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1275 -> {Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1275 -> {Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]: WEB-../..:
{Attacking PC}:1294 -> {Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]: WEB-../..:
{Attacking PC}:1304 -> {Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1316 -> {Destination Server}:80
18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]:
spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1316 ->
{Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2}
snort[1472]: spp_http_decode: IIS Unicode attack detected: {Attacking
PC}:1316 -> {Destination Server}:80
18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]:
spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1316 ->
{Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2}
snort[1472]: WEB-../..: {Attacking PC}:1316 -> {Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1323 -> {Destination Server}:80
18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]:
spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1323 ->
{Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS
1} snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1323 ->
{Destination Server}:80
18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1331 -> {Destination Server}:80
18-09-2001 15:13:55 System0.Alert {IDS 2}    snort[1472]:
spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1331 ->
{Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS
1} snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1341 ->
{Destination Server}:80
18-09-2001 15:13:56 System0.Alert {IDS 2}    snort[1472]:
spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1341 ->
{Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS
1} snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1341 ->
{Destination Server}:80
18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1350 -> {Destination Server}:80
18-09-2001 15:13:56 System0.Alert {IDS 2}    snort[1472]:
spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1350 ->
{Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS
1} snort[846]: [1:1002:1]  WEB-IIS cmd.exe access [Classification:
Attempted User Privilege Gain   Priority: 8]: {Attacking PC}:1350 ->
{Destination Server}:80
18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1395 -> {Destination Server}:80

Obviously this is a massive log for one 'attack' attempt and I'm
getting this a LOT from all different IP address ranges which are all
standard dial up accounts (the ones I've checked anyway) with what
looks like unpatched IIS servers.

Anyone shed any light???

Thanks

-----
Matthew Francis


--
First they ignore you,            | Dushyanth Harinath
then they laugh at you,           | Programmer/SysAdmin
then they fight you,              | Archean Infotech
then you win.- Mahatma Gandhi     | http://www.archeanit.com
(possibly not talking about Linux)|


-----------------------------------------
This email was sent using SquirrelMail.
   "Webmail for nuts!"
http://squirrelmail.org/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Code Green??? Matthew Francis (Sep 18)
- Re: Code Green??? richard (Sep 18)
  - Re: Code Green??? Dushyanth Harinath (Sep 18)
    - Re: Code Green??? Larry E. Smith Jr. (Sep 18)
- <Possible follow-ups>
- RE: Code Green??? Jim Howard (Sep 18)
  - RE: Code Green??? Erek Adams (Sep 18)
- RE: Code Green??? Jim Howard (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- RE: Code Green??? Lodin, Steven {GZ-Q~Mannheim} (Sep 18)
  - RE: Code Green??? richard (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- RE: Code Green??? Ed Kasky (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
  - Re: Code Green??? Ian Cudlip (Sep 18)

(Thread continues...)