Snort mailing list archives
More nonexistent alerts
From: niceshorts () yahoo com
Date: Wed, 26 Sep 2001 18:57:58 -0500
Hi snorters! I have upgraded my W2K box to Silicon Defense's build 1.8.1b78 and we keep getting strange invalid alerts. The 2nd & 4th alert below again shows a bit lit in the high order nybble of the TOS field, a zero window size, and unlikely Ack byte numbers. Note how 2 & 4 do not have the DF bit. And these alerts do NOT log to the binary log. I am at a loss to explain it. -anthony kim [from alert.ids] [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 09/26-21:27:16.929281 205.200.66.174:3725 -> 172.16.100.100:80 TCP TTL:112 TOS:0x0 ID:40608 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0x8C7773DD Ack: 0x5C3C1B10 Win: 0x2238 TcpLen: 20 [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 09/26-21:27:17.239170 205.200.66.174:3725 -> 172.16.100.100:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:137 ***AP*** Seq: 0x8C77743E Ack: 0xC51DE392 Win: 0x0 TcpLen: 20 [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 09/26-21:27:17.714444 205.200.66.174:3745 -> 172.16.100.100:80 TCP TTL:112 TOS:0x0 ID:10657 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0x8C7D5E58 Ack: 0x5C3FEF9D Win: 0x2238 TcpLen: 20 [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 09/26-21:27:18.124452 205.200.66.174:3745 -> 172.16.100.100:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:137 ***AP*** Seq: 0x8C7D5EB9 Ack: 0x0 Win: 0x0 TcpLen: 20 [from snort.log] =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/26-16:27:16.929281 0:A0:8E:B:5B:99 -> 0:50:8B:E1:E4:61 type:0x800 len:0x97 205.200.66.174:3725 -> 172.16.100.100:80 TCP TTL:112 TOS:0x0 ID:40608 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0x8C7773DD Ack: 0x5C3C1B10 Win: 0x2238 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 63 31 25 31 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 c1%1c../winnt/sy 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0.. 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E Host: www..Connn 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D ection: close... 0A . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/26-16:27:17.714444 0:A0:8E:B:5B:99 -> 0:50:8B:E1:E4:61 type:0x800 len:0x97 205.200.66.174:3745 -> 172.16.100.100:80 TCP TTL:112 TOS:0x0 ID:10657 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0x8C7D5E58 Ack: 0x5C3FEF9D Win: 0x2238 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 63 30 25 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 c0%2f../winnt/sy 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0.. 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E Host: www..Connn 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D ection: close... 0A . =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More nonexistent alerts niceshorts (Sep 26)