Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Alerts not getting into log

From: niceshorts () yahoo com
Date: Wed, 26 Sep 2001 12:32:40 -0500
    I'm getting a few invalid alerts mixed in with all the
    Nimda alerts I am getting.

    Here's an example:

[**] [1:1002:1] WEB-IIS cmd.exe access [**]
[Classification: Attempted User Privilege Gain] [Priority: 8]
09/26-12:20:44.957813 172.16.1.1:4823 -> 172.16.100.100:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:3051
***AP*** Seq: 0x712F912F  Ack: 0x25AC2519  Win: 0x4470  TcpLen: 20

[**] [1:1002:1] WEB-IIS cmd.exe access [**]
[Classification: Attempted User Privilege Gain] [Priority: 8]
09/26-12:20:45.511397 172.16.1.1:4822 -> 172.16.100.100:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:3052
***AP*** Seq: 0x712EE982  Ack: 0x25AB953F  Win: 0x4470  TcpLen: 20

    These alerts do not get logged to the binary snort log.

    Anomalies: TOS has the high order nybble lit up, IP ID field
    is 0, and the length is 3052 bytes.

    Not likely an actual packet but a stream reassembly problem?

    If there is anything I should do, please let me know.

    OS: win2k advanced server
    snort -V

-*> Snort! <*-
Version 1.8-WIN32 (Build 77)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net, www.datanerds.net/~mike)
1.8-WIN32 Port By Chris Reid (chris.reid () codecraftconsultants com)
          (based on code from 1.7 port)

    TIA,

    anthony kim

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: