Snort mailing list archives
Re: spurious .ida attempt detects "and corrupt pcap file"
From: Phil Wood <cpw () lanl gov>
Date: Fri, 16 Nov 2001 10:35:08 -0700
I happened to look at my pcap (-b) file on a 1.8.3 run and it had some what I figured were snort crafted pcap entries with all zeros in the beginning of the "packet". In my case, the IP and TCP headers were also zero. However, down further in the data area, there was this something that reminded me of NIMDA: tcpdump -n -r log/codered/last.CR not tcp -c 1 -s 1514 -x | hextotex 1 packets received by filter 16:53:26.082431 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=1500 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000502 00503b0c : P; : 753b111f a69d5018 77c40000 00000000 00000000 : u; P w : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00000000 00000000 : : 00000000 00000000 00000000 00004745 54202f64 : GET /d : 65666175 6c742e69 64613f4e 4e4e4e4e 4e4e4e4e : efault.ida?NNNNNNNNN : 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e : NNNNNNNNNNNNNNNNNNNN : 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e : NNNNNNNNNNNNNNNNNNNN : 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e : NNNNNNNNNNNNNNNNNNNN : 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e : NNNNNNNNNNNNNNNNNNNN : 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e : NNNNNNNNNNNNNNNNNNNN : 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e : NNNNNNNNNNNNNNNNNNNN : 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e : NNNNNNNNNNNNNNNNNNNN : 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e : NNNNNNNNNNNNNNNNNNNN : 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e : NNNNNNNNNNNNNNNNNNNN : 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e4e : NNNNNNNNNNNNNNNNNNNN : 4e4e4e4e 4e4e4e4e 4e4e4e4e 4e4e4e00 00000000 : NNNNNNNNNNNNNNN : 00000000 00000000 0000c303 00000078 00fa2025 : x % : 75393039 30257536 38353825 75636264 33257537 : u9090%u6858%ucbd3%u7 : 38303125 75393039 30257536 38353825 75636264 : 801%u9090%u6858%ucbd : 33257537 38303125 75393039 30257539 30393025 : 3%u7801%u9090%u9090% : 75383139 30257530 30633325 75303030 33257538 : u8190%u00c3%u0003%u8 : 62303025 75353331 62257535 33666625 75303037 : b00%u531b%u53ff%u007 : 38257530 30303025 7530303d 61202048 5454502f : 8%u0000%u00=a HTTP/ : 312e300d 0a436f6e 74656e74 2d747970 653a2074 : 1.0 Content-type: t : 6578742f 786d6c0a 484f5354 3a777777 2e776f72 : ext/xml HOST:www.wor : 6d2e636f 6d0a2041 63636570 743a202a 2f2a0a43 : m.com Accept: */* C : 6f6e7465 6e742d6c 656e6774 683a2033 35363920 : ontent-length: 3569 : 0d0a0d0a 558bec81 ec180200 00535657 8dbde8fd : U SVW : ffffb986 000000b8 cccccccc f3abc785 70feffff : p : 00000000 e90a0b00 008f8568 feffff8d bdf0feff : h : ff64a100 00000089 47086489 3d000000 00e96f0a : d G d = o : 00008f85 60feffff c785f0fe ffffffff ffff8b85 : ` : 68feffff 83e80789 85f4feff ffc78558 feffff00 : h X : 00e077e8 9b0a0000 83bd70fe ffff000f 85dd0100 : w p : 008b8d58 feffff81 c1000001 00898d58 feffff81 : X X : bd58feff ff000000 78750ac7 8558feff ff0000f0 : X xu X : bf8b9558 feffff33 c0668b02 3d4d5a00 000f859a : X 3 f =MZ : 0100008b 8d58feff ff8b513c 8b8558fe ffff33c9 : X Q< X 3 : 668b0c10 81f95045 00000f85 79010000 8b9558fe : f PE y X : ffff8b42 3c8b8d58 feffff8b 54017803 9558feff : B< X T x X : ff899554 feffff8b 8554feff ff8b480c 038d58fe : T T H X : On Fri, Nov 16, 2001 at 04:55:37PM +1300, Russell Fulton wrote:
I have just realised that there is something else odd about these alerts, the MAC addresses are both zero: [**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 10] 11/16-14:39:24.545389 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x24E 130.123.128.24:1754 -> 130.216.35.105:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:576 ***AP*** Seq: 0xCB6CF3A1 Ack: 0xE03784F8 Win: 0x7DA0 TcpLen: 20
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spurious .ida attempt detects Russell Fulton (Nov 15)
- Re: spurious .ida attempt detects "and corrupt pcap file" Phil Wood (Nov 16)
- Re: spurious .ida attempt detects Martin Roesch (Nov 19)