Snort mailing list archives
"id command attempt" malformed packet
From: "Abe Wagner" <abewagner () hotmail com>
Date: Fri, 10 May 2002 11:52:18 -0400
Hi,Recently I have been logging a lot of "id command attempt" attacks. When I examine the alert log, it looks very normal, with identified source and destination ip addresses and tcp ports. However, when I look into the packet, almost no relevant information seems to be there. If I look into the "Trailer" information, I can see the data "fc 30 00 50" which I surmise is the source and destination ports of 64560 and 80.
I am logging thousands of other packets daily and they are all showing up very nicely in the tcpdump -- but not the packets from the "id command attempt" type of attack. If these packets really don't contain my ip address, how do they get to my server? Or is some sort of logging error? I have watched the attacks increase in number and frequency over the last several weeks and I am getting nervous...
Thanks, Abe ps. I am using snort 1.8.3 on W2K. -----Alert generated by snort05/07-23:37:35.723647 [**] [1:1333:1] WEB-ATTACKS id command attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 24.100.12.135:64560 -> xxx.xxx.xxx.xxx:80
-----Packet captured by snort tcpdump, viewed by Ethereal Frame 2190 (676 on wire, 676 captured) Arrival Time: May 7, 2002 23:37:35.723647000 Time delta from previous packet: 457.393350000 seconds Time relative to first packet: 112488.865603000 seconds Frame Number: 2190 Packet Length: 676 bytes Capture Length: 676 bytes IEEE 802.3 Ethernet Destination: 00:00:00:00:00:00 (XEROX_00:00:00) Source: 00:00:00:00:00:00 (XEROX_00:00:00) Length: 0 Trailer: 00000000000000000000000000000000... [Malformed Packet: LLC] 0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0170 fc 30 00 50 14 19 98 0d 6d 72 00 ee 50 18 3b d4 .0.P....mr..P.;. 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 02a0 00 00 00 00 .... _________________________________________________________________MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
_______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "id command attempt" malformed packet Abe Wagner (May 11)