Snort mailing list archives
Alerts not getting into log
From: niceshorts () yahoo com
Date: Wed, 26 Sep 2001 12:32:40 -0500
I'm getting a few invalid alerts mixed in with all the Nimda alerts I am getting. Here's an example: [**] [1:1002:1] WEB-IIS cmd.exe access [**] [Classification: Attempted User Privilege Gain] [Priority: 8] 09/26-12:20:44.957813 172.16.1.1:4823 -> 172.16.100.100:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:3051 ***AP*** Seq: 0x712F912F Ack: 0x25AC2519 Win: 0x4470 TcpLen: 20 [**] [1:1002:1] WEB-IIS cmd.exe access [**] [Classification: Attempted User Privilege Gain] [Priority: 8] 09/26-12:20:45.511397 172.16.1.1:4822 -> 172.16.100.100:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:3052 ***AP*** Seq: 0x712EE982 Ack: 0x25AB953F Win: 0x4470 TcpLen: 20 These alerts do not get logged to the binary snort log. Anomalies: TOS has the high order nybble lit up, IP ID field is 0, and the length is 3052 bytes. Not likely an actual packet but a stream reassembly problem? If there is anything I should do, please let me know. OS: win2k advanced server snort -V -*> Snort! <*- Version 1.8-WIN32 (Build 77) By Martin Roesch (roesch () sourcefire com, www.snort.org) 1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike) 1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com) (based on code from 1.7 port) TIA, anthony kim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alerts not getting into log niceshorts (Sep 26)