Snort mailing list archives

RE: Interesting alerts.

From: "Jeremy Junginger" <jjunginger () usbestcrm com>
Date: Wed, 9 Oct 2002 07:57:43 -0700

Thank you for the analysis, John.  I came to a similar conclusion, by
surfing to http://66.28.151.197 .  I appreciate your insights, though.
Let me ask you a bit more challenging question.  Hypothetically, if a
certain administrator had a binary packet capture that includes this
traffic, would it not be possible to manipulate/replay the packets in
such a way that you could retrieve the file that the user had
downloaded?  Put on your thining cap for this one....

::jeopardy music in the background::

;-P

-Jeremy

-----Original Message-----
From: John Sage [mailto:jsage () finchhaven com] 
Sent: Sunday, September 08, 2002 11:41 AM
To: Jeremy Junginger
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Interesting alerts.


Jeremy:

On Thu, Sep 05, 2002 at 03:17:52PM -0700, Jeremy Junginger wrote:

I'm in the process of grooming an IDS, and came across some 
interesting alerts...about 18,000 of them.  I am considering 
"grooming" this alert out, but would like to understand the traffic.  
Please provide any insights you may have.  I have intentionally left 
the source IP intact, as it is the external IP that the box is 
connecting to.  Let me know what you think.  Thanks,

----------------------------------------------------------------------
--
#(1 - 44731) [2002-09-05 12:38:18] [Bugtraq/4006]  DOS MSDTC attempt
IPv4: 66.28.151.197 -> x.x.x.118
      hlen=5 TOS=0 dlen=1500 ID=37730 flags=0 offset=0 TTL=107
chksum=48209
TCP:  port=80 -> dport: 3372  flags=***A**** seq=2626793598
      ack=3945314208 off=5 res=0 win=16947 urp=0 chksum=34845
Payload:  length = 1460

000 : 43 2B 88 61 6B 80 AB B3 E5 76 5E 50 F8 34 07 41

C+.ak....v^P.4.A

010 : A3 09 9C 0A 14 87 E1 89 58 0A BC 00 A4 07 59 CB

........X.....Y.

020 : 40 D4 66 E0 58 2C 90 14 AA AF 00 AD 29 1A 82 D9

@.f.X,......)...

030 : D0 95 71 1B 11 22 80 60 48 0D 28 34 FC 5F 49 5C

..q..".`H.(4._I\
<snippage>

The rule *did* match:

[toot@sparky /home/www/html/sys_docs/snort187]# grep 4006 *

dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS  MSDTC
attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006;
classtype:attempted-dos; sid:1408;  rev:5;)

But...

So, yes, the destination port *was* 3372 and the dsize *was* > 1024;
but, given that the source port is 80, one immediately wonders about
http traffic. The packet payload looks a lot like an img (jpeg, gif..)
file, or a binary...

Let's see:

[toot@sparky /]# host 66.28.151.197
Host 197.151.28.66.in-addr.arpa. not found: 3(NXDOMAIN)

[toot@sparky /etc/rc.d/init.d]# lynx -head -dump http://66.28.151.197/
HTTP/1.1 200 OK
Date: Sun, 08 Sep 2002 18:17:02 GMT
Server: GameSpy-XFS/1.0
Connection: close
Content-Type: text/html
Accept-Ranges: bytes
Cache-Control: no-cache


"GameSpy"? hmm..


[toot@sparky /]# lynx http://66.28.151.197/

FilePlanet Download System -
   _

   FilePlanet Download System
   Currently Downloading
   200 /200
   Waiting to Download
   238
   Estimated Wait
   59 minutes
   This public server is full!
   You can wait in line for an open slot.
   Let's Go
   [BUTTON]
   Why do public servers have lines?
   YOU DON'T HAVE TO WAIT!
   Subscribe to FilePlanet
   Get INSTANT access to dedicated, HIGH-SPEED servers without
advertisements!
   advertisement
   Clicking on or refreshing an ad will not disrupt your place in line.


whois?

Registrant:
Critical Mass Gaming Systems (FILEPLANET-DOM)
   2900 S. Bristol St., Suite E204
   Costa Mesa, CA 92626-7908
   US    

Domain Name: FILEPLANET.COM    

Administrative Contact, Technical Contact:
      Andrea Bruns  (CMN2-ORG)hostmaster () GAMESPY COM
      GameSpy Industries
      18002 Skypark Circle
      Irvine, CA 92614-6429
      US
      949-798-4200 Fax- 949-798-4299
      Fax- - 949-798-4299 

   Record expires on 09-Dec-2002.
   Record created on 08-Dec-1997.
   Database last updated on 8-Sep-2002 14:35:58 EDT. 

Domain servers in listed order: 
   NS.GAMESPY.COM               207.38.0.10
   NS2.GAMESPY.COM              207.38.0.11



Ring any bells? Somebody downloading games on your network?


- John
-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old cell
phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Interesting alerts. Jeremy Junginger (Oct 10)