Snort mailing list archives

Previous By Date Next
Previous By Thread Next

"id command attempt" malformed packet

From: "Abe Wagner" <abewagner () hotmail com>
Date: Fri, 10 May 2002 11:52:18 -0400

Hi,
Recently I have been logging a lot of "id command attempt" attacks. When I examine the alert log, it looks very normal, with identified source and destination ip addresses and tcp ports. However, when I look into the packet, almost no relevant information seems to be there. If I look into the "Trailer" information, I can see the data "fc 30 00 50" which I surmise is the source and destination ports of 64560 and 80.
I am logging thousands of other packets daily and they are all showing up very nicely in the tcpdump -- but not the packets from the "id command attempt" type of attack. If these packets really don't contain my ip address, how do they get to my server? Or is some sort of logging error? I have watched the attacks increase in number and frequency over the last several weeks and I am getting nervous... 

Thanks,
Abe

ps. I am using snort 1.8.3 on W2K.


-----Alert generated by snort
05/07-23:37:35.723647 [**] [1:1333:1] WEB-ATTACKS id command attempt [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 24.100.12.135:64560 -> xxx.xxx.xxx.xxx:80 



-----Packet captured by snort tcpdump, viewed by Ethereal

Frame 2190 (676 on wire, 676 captured)
   Arrival Time: May  7, 2002 23:37:35.723647000
   Time delta from previous packet: 457.393350000 seconds
   Time relative to first packet: 112488.865603000 seconds
   Frame Number: 2190
   Packet Length: 676 bytes
   Capture Length: 676 bytes
IEEE 802.3 Ethernet
   Destination: 00:00:00:00:00:00 (XEROX_00:00:00)
   Source: 00:00:00:00:00:00 (XEROX_00:00:00)
   Length: 0
   Trailer: 00000000000000000000000000000000...
[Malformed Packet: LLC]

0000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0160  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0170  fc 30 00 50 14 19 98 0d 6d 72 00 ee 50 18 3b d4   .0.P....mr..P.;.
0180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
01f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0210  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0220  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0230  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0250  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0260  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0280  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0290  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
02a0  00 00 00 00                                       ....



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx 


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: