Snort mailing list archives
spurious .ida attempt detects
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Fri, 16 Nov 2001 16:55:37 +1300 (NZDT)
Hi, I am running snort-1.8.1-RELEASE on a debian box. For some time now I have been getting alerts for the '.ida attemp' but no packets were logged. I reported this a couple of weeks ago but I did not see any responses. I have just realised that there is something else odd about these alerts, the MAC addresses are both zero: [**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 11/16-14:39:24.545389 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x24E 130.123.128.24:1754 -> 130.216.35.105:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:576 ***AP*** Seq: 0xCB6CF3A1 Ack: 0xE03784F8 Win: 0x7DA0 TcpLen: 20 In this particular hour we logged 9 .ida alerts and none had packet data recorded (and all were also missing the MAC addresses). Of these at least two were not code red (I can tell from the argus logs) and in one case I have verified with the server admin). Any ideas what is going on? Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spurious .ida attempt detects Russell Fulton (Nov 15)
- Re: spurious .ida attempt detects "and corrupt pcap file" Phil Wood (Nov 16)
- Re: spurious .ida attempt detects Martin Roesch (Nov 19)