Snort mailing list archives
Unusual http traffic
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Mon, 22 Oct 2001 13:27:42 -0400
I've been seeing the following URLs on our web server logs. They certainly look suspicious. GET /`n@/..GetStartupInfoA..GetStartupInfoA..GetStartupInfoA..GetStartupInfo A..GetStartupInfoA../winnt/system32/cmd.exe /c+dir 403 5 3135 133 15 - - - - GET /`n@/..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue. ./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - - GET /`n@/..GetVersion..GetVersion..GetVersion..GetVersion..GetVersion../win nt/system32/cmd.exe /c+dir 403 5 3135 108 16 - - - - GET /`n@/..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue. ./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - - GET /`n@/..SetLastError..SetLastError..SetLastError..SetLastError..SetLastE rror../winnt/system32/cmd.exe /c+dir 403 5 3135 118 16 - - - - GET /`n@/..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey. ./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - - GET /`n@/..LookupPrivilegeValueA..LookupPrivilegeValueA..LookupPrivilegeValue A..LookupPrivilegeValueA..LookupPrivilegeValueA../winnt/system32/cmd.exe /c+dir 403 5 3135 163 16 - - - - Nothing's picked up by Snort or NFR. Any ideas? -----Original Message----- From: Syed Mohammad Talha [mailto:talha () cbq com qa] Sent: Saturday, October 20, 2001 1:15 AM To: snort-users () lists sourceforge net Subject: [Snort-users] So many of false alerts Hi, I am getting so many of false alerts, like; MISC source port 53 to <1024 7648 UDP scan 594 DNS zone transfer <http://whitehats.com/IDS/IDS212> [arachNIDS] 396 TCP ******S* scan 291 Virus - Possible pif Worm 197 and lots of more, can some one help me in reducing these. Regards. Talha
Current thread:
- Unusual http traffic Fraser Hugh (Oct 22)
- <Possible follow-ups>
- RE: Unusual http traffic Kevin Brown (Oct 22)
- RE: Unusual http traffic Fraser Hugh (Oct 22)
- Re: Unusual http traffic Chris Green (Oct 22)
- RE: Unusual http traffic Fraser Hugh (Oct 23)