Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Current Attack...

From: "Vadim Pushkin" <wiskbroom () hotmail com>
Date: Tue, 07 May 2002 14:17:47 +0000
Greets

I am receiving ALOT of complaints recently from one of my sensors.
HOwever, when I view the payload, using ACID, I get a different
IP address from the one that shows up as the source IP. Also,
what would cause MySQL to barf at an attempt to enter this data
into itself?

Thanks,

Vadim


My Pay_Load:
#(2 - 35923) [2002-05-07 08:59:12] ICMP Destination Unreachable (Fragmentation Needed and DF bit was set) 
IPv4: 163.13.1.11 -> xxx.yyy.zzz.111 (I changed this on purpose)
     hlen=5 TOS=0 dlen=56 ID=10053 flags=0 offset=0 TTL=46 chksum=31997
ICMP: type=Destination Unreachable code=Fragmentation Needed/DF set
     checksum=41848 id= seq=
Payload:  length = 32

000 : 00 00 05 D4 45 00 05 DC 27 45 40 00 F0 06 75 38   ....E...'E@...u8
010 : 3F 42 05 29 A3 0D 01 26 F0 D2 00 19 81 C4 E0 FE   ?B.)...&........

FROM_SENSOR:
May 7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('2', '35923', '34', '2002-05-07 05:52:37+00') May 7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('2', '35923', '34', '2002-05-07 05:52:37+00') May 7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' for key 1 SQL=INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum) VALUES ('2','35923','3','4','41848') May 7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' for key 1 SQL=INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum) VALUES ('2','35923','3','4','41848') May 7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' for key 1 SQL=INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver,ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES ('2','35923','2735538443','1061291305','4','5','0','56','10056','0','0','46','1','31994') May 7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' for key 1 SQL=INSERT INTO iphdr (sid, cid, ip_src, ip_dst, ip_ver,ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off,ip_ttl, ip_proto, ip_csum) VALUES ('2','35923','2735538443','1061291305','4','5','0','56','10056','0','0','46','1','31994') May 7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' for key 1 SQL=INSERT INTO data (sid,cid,data_payload) VALUES ('2','35923','000005D4450005DC27484000F00675353F420529A30D0126F0D2001981C4E0FE') May 7 05:52:37 obsd snort: database: mysql_error: Duplicate entry '2-35923' for key 1 SQL=INSERT INTO data (sid,cid,data_payload) VALUES ('2','35923','000005D4450005DC27484000F00675353F420529A30D0126F0D2001981C4E0FE') 


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx 


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: