Snort mailing list archives
RFC: SHELLCODE and WEDAV alerts
From: "Michael Shirk" <shirkdog_linux () hotmail com>
Date: Thu, 18 Mar 2004 10:56:30 -0500
Here is the activity that I have been seeing with no ExplanationHere are the first 12 alerts where the payload is 1460 of all (90) or . characters:
SHELLCODE x86 NOOP 3/15/2004 17:30:10 SHELLCODE x86 NOOP 3/15/2004 17:30:10 SHELLCODE x86 NOOP 3/15/2004 17:30:10 SHELLCODE x86 NOOP 3/15/2004 17:30:10 SHELLCODE x86 NOOP 3/15/2004 17:30:10 SHELLCODE x86 NOOP 3/15/2004 17:30:10 SHELLCODE x86 NOOP 3/15/2004 17:30:10 SHELLCODE x86 NOOP 3/15/2004 17:30:10 SHELLCODE x86 NOOP 3/15/2004 17:30:10 SHELLCODE x86 NOOP 3/15/2004 17:30:10 SHELLCODE x86 NOOP 3/15/2004 17:30:10 SHELLCODE x86 NOOP 3/15/2004 17:30:10 Then I get one WEBDAV alert with a payload of 1460: WEB-MISC WebDAV searchaccess 3/15/2004 17:30:10 Which contains the following String: SEARCH /Followed by 90 or . characters. I have not seen any viruses of this nature and it is either a terrible false positive or some kind of script. I have seen different sources with the same exact pattern. I am going to right a rule for this but wondering if anyone has seen the things in THEIR LOGS
Regards, Shirkdog http://www.shirkdog.us _________________________________________________________________Get tax tips, tools and access to IRS forms all in one place at MSN Money! http://moneycentral.msn.com/tax/home.asp
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RFC: SHELLCODE and WEDAV alerts Michael Shirk (Mar 18)
- Re: RFC: SHELLCODE and WEDAV alerts Frank Knobbe (Mar 18)
- Re: RFC: SHELLCODE and WEDAV alerts Frank Knobbe (Mar 18)
- Re: RFC: SHELLCODE and WEDAV alerts Frank Knobbe (Mar 18)