Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Unusual http traffic

From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Mon, 22 Oct 2001 13:27:42 -0400
I've been seeing the following URLs on our web server logs. They certainly
look suspicious.
 
GET
/`n@/..GetStartupInfoA..GetStartupInfoA..GetStartupInfoA..GetStartupInfo
A..GetStartupInfoA../winnt/system32/cmd.exe /c+dir 403 5 3135 133 15 - - -
-
GET
/`n@/..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..GetVersion..GetVersion..GetVersion..GetVersion..GetVersion../win
nt/system32/cmd.exe /c+dir 403 5 3135 108 16 - - - -
GET
/`n@/..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..SetLastError..SetLastError..SetLastError..SetLastError..SetLastE
rror../winnt/system32/cmd.exe /c+dir 403 5 3135 118 16 - - - -
GET
/`n@/..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..LookupPrivilegeValueA..LookupPrivilegeValueA..LookupPrivilegeValue
A..LookupPrivilegeValueA..LookupPrivilegeValueA../winnt/system32/cmd.exe
/c+dir 403 5 3135 163 16 - - - -
 
Nothing's picked up by Snort or NFR. Any ideas?
-----Original Message-----
From: Syed Mohammad Talha [mailto:talha () cbq com qa]
Sent: Saturday, October 20, 2001 1:15 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] So many of false alerts


Hi,
 
I am getting so many of false alerts, like;
 
MISC source port 53 to <1024         7648
UDP scan                                               594
DNS zone transfer  <http://whitehats.com/IDS/IDS212> [arachNIDS]        396
TCP ******S* scan                                    291
Virus - Possible pif Worm                    197
and lots of more, can some one help me in reducing these.
 
Regards.
Talha
Previous By Date Next
Previous By Thread Next

Current thread: