Snort mailing list archives

spurious .ida attempt detects

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Fri, 16 Nov 2001 16:55:37 +1300 (NZDT)

Hi,
        I am running snort-1.8.1-RELEASE on a debian box.  For some 
time now I have been getting alerts for the '.ida attemp' but no 
packets were logged. I reported this a couple of weeks ago but I did 
not see any responses.

I have just realised that there is something else odd about these 
alerts, the MAC addresses are both zero:

[**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**]
 [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
 11/16-14:39:24.545389 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x24E
 130.123.128.24:1754 -> 130.216.35.105:80 TCP TTL:240 TOS:0x10 ID:0 
IpLen:20 DgmLen:576
 ***AP*** Seq: 0xCB6CF3A1 Ack: 0xE03784F8 Win: 0x7DA0 TcpLen: 20

In this particular hour we logged 9 .ida alerts and none had packet 
data recorded (and all were also missing the MAC addresses).  Of these 
at least two were not code red (I can tell from the argus logs) and in 
one case I have verified with the server admin).

Any ideas what is going on?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

spurious .ida attempt detects Russell Fulton (Nov 15)
- Re: spurious .ida attempt detects "and corrupt pcap file" Phil Wood (Nov 16)
- Re: spurious .ida attempt detects Martin Roesch (Nov 19)