Snort mailing list archives

Re: What is this packet? Going to M$

From: twig les <twigles () yahoo com>
Date: Thu, 20 Mar 2003 09:18:42 -0800 (PST)

I'm not sure how well it would work but you could start digging
and block all outbound connections to M$ IP ranges.  This will
break things like the update mechanism (if you can break
something that's already broken) and people won't be able to
surf Microsoft's site.  I think I'll try this at my home office
and leave one bsd box open to dl patches (and patches and
patches and ...).  If you're curious ping me privately in a week
or so to find out how goes it.

--- Paul Schmehl <pauls () utdallas edu> wrote:

This is a packet going from a host on our network to port 80
at
207.46.131.156 which is ntservicepack.microsoft.com.  I've
seen these
pretty regularly, and I'm wondering if anyone else is seeing
them as
well?

Appears to me that M$ is taking inventory.......

 length = 1460

000 : 37 30 38 39 39 38 33 0A 61 78 70 65 72 66 2E 69  
7089983.axperf.i
010 : 6E 69 0A 62 61 73 65 73 72 76 2E 64 6C 6C 2C 32  
ni.basesrv.dll,2
020 : 62 34 66 65 32 38 39 0A 62 61 74 6D 65 74 65 72  
b4fe289.batmeter
030 : 2E 64 6C 6C 2C 37 32 38 64 64 33 37 39 0A 62 61  
.dll,728dd379.ba
040 : 74 74 63 2E 73 79 73 2C 31 63 31 38 33 61 65 38  
ttc.sys,1c183ae8
050 : 2C 66 61 32 36 38 35 37 39 0A 62 69 6E 6C 73 76  
,fa268579.binlsv
060 : 63 2E 64 6C 6C 2C 31 34 31 39 39 63 36 31 0A 62  
c.dll,14199c61.b
070 : 72 65 65 63 65 6D 63 2E 73 79 73 2C 37 64 37 31  
reecemc.sys,7d71
080 : 37 36 37 63 2C 65 64 62 33 65 65 37 34 0A 62 72  
767c,edb3ee74.br
090 : 6F 74 68 65 72 2E 64 6C 6C 2C 31 39 34 33 30 34  
other.dll,194304
0a0 : 34 38 0A 62 72 6F 74 68 75 69 2E 64 6C 6C 2C 37  
48.brothui.dll,7
0b0 : 62 65 38 31 32 35 30 2C 38 38 63 36 31 39 31 33  
be81250,88c61913
0c0 : 0A 62 72 6F 77 73 63 61 70 2E 64 6C 6C 2C 35 61  
.browscap.dll,5a
0d0 : 38 62 38 39 66 37 0A 62 72 6F 77 73 65 6C 63 2E  
8b89f7.browselc.
0e0 : 64 6C 6C 2C 66 30 64 37 34 39 36 30 0A 62 72 6F  
dll,f0d74960.bro
0f0 : 77 73 65 72 2E 64 6C 6C 2C 33 34 36 62 30 35 66  
wser.dll,346b05f
100 : 65 0A 62 72 6F 77 73 65 75 69 2E 64 6C 6C 2C 34  
e.browseui.dll,4
110 : 33 32 37 62 33 33 62 0A 63 5F 69 73 32 30 32 32  
327b33b.c_is2022
120 : 2E 64 6C 6C 2C 31 35 32 38 38 65 30 34 0A 63 61  
.dll,15288e04.ca
130 : 63 6C 73 2E 65 78 65 2C 31 63 66 34 37 31 35 39  
cls.exe,1cf47159
140 : 0A 63 61 6C 6C 63 6F 6E 74 2E 64 6C 6C 2C 62 39  
.callcont.dll,b9
150 : 62 62 66 62 62 61 0A 63 61 74 73 72 76 2E 64 6C  
bbfbba.catsrv.dl
160 : 6C 2C 62 39 61 33 62 66 32 35 0A 63 61 74 73 72  
l,b9a3bf25.catsr
170 : 76 75 74 2E 64 6C 6C 2C 31 30 39 38 31 65 35 65  
vut.dll,10981e5e
180 : 0A 63 64 66 73 2E 73 79 73 2C 65 62 30 61 32 30  
.cdfs.sys,eb0a20
190 : 35 63 0A 63 64 66 76 69 65 77 2E 64 6C 6C 2C 31  
5c.cdfview.dll,1
1a0 : 63 32 33 62 63 63 33 0A 63 64 6D 2E 64 6C 6C 2C  
c23bcc3.cdm.dll,
1b0 : 62 30 34 31 63 65 35 32 0A 63 64 6D 6F 64 65 6D  
b041ce52.cdmodem
1c0 : 2E 64 6C 6C 0A 63 64 6F 6E 74 73 2E 64 6C 6C 2C  
.dll.cdonts.dll,
1d0 : 32 39 31 61 34 38 62 33 0A 63 64 6F 73 79 73 2E  
291a48b3.cdosys.
1e0 : 64 6C 6C 2C 34 36 62 32 64 66 39 36 0A 63 64 72  
dll,46b2df96.cdr
1f0 : 6F 6D 2E 73 79 73 2C 35 63 36 32 66 33 35 64 0A  
om.sys,5c62f35d.
200 : 63 65 72 74 63 6C 69 2E 64 6C 6C 2C 30 63 63 66  
certcli.dll,0ccf
210 : 63 37 36 61 0A 63 65 72 74 6D 61 70 2E 6F 63 78  
c76a.certmap.ocx
220 : 2C 66 34 35 33 31 34 30 62 0A 63 65 72 74 6D 67  
,f453140b.certmg
230 : 72 2E 64 6C 6C 2C 66 38 36 38 39 38 61 34 0A 63  
r.dll,f86898a4.c
240 : 65 72 74 72 71 62 69 2E 61 73 70 0A 63 65 72 74  
ertrqbi.asp.cert
250 : 72 71 6D 61 2E 61 73 70 0A 63 65 72 74 77 69 7A  
rqma.asp.certwiz
260 : 2E 6F 63 78 2C 64 32 32 34 62 61 32 64 0A 63 66  
.ocx,d224ba2d.cf
270 : 67 77 69 7A 2E 65 78 65 2C 66 33 35 66 62 35 36  
gwiz.exe,f35fb56
280 : 65 0A 63 68 6B 64 73 6B 2E 65 78 65 2C 33 38 37  
e.chkdsk.exe,387
290 : 66 34 39 66 37 0A 63 68 6B 6E 74 66 73 2E 65 78  
f49f7.chkntfs.ex
2a0 : 65 2C 30 35 30 35 66 36 39 62 0A 63 69 61 64 6D  
e,0505f69b.ciadm
2b0 : 69 6E 2E 64 6C 6C 2C 37 35 66 64 33 30 36 36 0A  
in.dll,75fd3066.
2c0 : 63 69 6D 77 69 6E 33 32 2E 64 6C 6C 2C 39 65 65  
cimwin32.dll,9ee
2d0 : 61 33 31 34 64 0A 63 69 70 68 65 72 2E 65 78 65  
a314d.cipher.exe
2e0 : 2C 65 36 37 66 30 33 64 37 0A 63 6C 61 73 73 65  
,e67f03d7.classe
2f0 : 73 2E 63 65 72 0A 63 6C 61 73 73 65 73 2E 7A 69  
s.cer.classes.zi
300 : 70 0A 63 6C 61 73 73 70 6E 70 2E 73 79 73 2C 39  
p.classpnp.sys,9
310 : 66 31 37 35 33 65 34 0A 63 6C 62 63 61 74 65 78  
f1753e4.clbcatex
320 : 2E 64 6C 6C 2C 32 35 64 62 37 34 38 64 0A 63 6C  
.dll,25db748d.cl
330 : 62 63 61 74 71 2E 64 6C 6C 2C 62 66 32 64 34 62  
bcatq.dll,bf2d4b
340 : 35 34 0A 63 6C 75 73 61 70 69 2E 64 6C 6C 2C 30  
54.clusapi.dll,0
350 : 33 32 31 38 33 64 62 0A 63 6C 75 73 69 69 73 34  
32183db.clusiis4
360 : 2E 64 6C 6C 0A 63 6C 75 73 74 65 72 2E 65 78 65  
.dll.cluster.exe
370 : 2C 37 32 66 34 61 35 35 61 0A 63 6D 62 61 74 74  
,72f4a55a.cmbatt
380 : 2E 73 79 73 2C 35 61 30 61 36 64 64 66 2C 30 30  
.sys,5a0a6ddf,00
390 : 35 39 33 36 34 65 0A 63 6D 64 2E 65 78 65 2C 32  
59364e.cmd.exe,2
3a0 : 36 31 61 34 35 63 33 0A 63 6D 64 69 61 6C 33 32  
61a45c3.cmdial32
3b0 : 2E 64 6C 6C 2C 63 34 66 33 36 34 65 63 0A 63 6D  
.dll,c4f364ec.cm
3c0 : 6E 71 75 65 72 79 2E 64 6C 6C 2C 61 37 38 30 39  
nquery.dll,a7809
3d0 : 32 32 61 0A 63 6D 70 72 6F 70 73 2E 64 6C 6C 2C  
22a.cmprops.dll,
3e0 : 65 64 66 33 65 66 32 31 0A 63 6D 73 74 70 2E 65  
edf3ef21.cmstp.e
3f0 : 78 65 2C 61 35 36 35 34 36 30 37 0A 63 6D 75 74  
xe,a5654607.cmut
400 : 69 6C 2E 64 6C 6C 2C 38 36 62 66 39 31 65 62 0A  
il.dll,86bf91eb.
410 : 63 6E 66 67 70 72 74 73 2E 6F 63 78 2C 38 63 39  
cnfgprts.ocx,8c9
420 : 38 65 30 32 30 0A 63 6E 76 66 61 74 2E 64 6C 6C  
8e020.cnvfat.dll
430 : 2C 31 30 39 62 65 38 66 66 0A 63 6F 61 64 6D 69  
,109be8ff.coadmi
440 : 6E 2E 64 6C 6C 2C 38 65 33 63 34 30 61 61 0A 63  
n.dll,8e3c40aa.c
450 : 6F 6C 62 61 63 74 2E 64 6C 6C 2C 36 64 39 39 35  
olbact.dll,6d995
460 : 63 63 64 0A 63 6F 6D 61 64 6D 69 6E 2E 64 6C 6C  
ccd.comadmin.dll
470 : 2C 36 30 35 39 64 31 63 36 0A 63 6F 6D 63 61 74  
,6059d1c6.comcat
480 : 2E 64 6C 6C 2C 33 31 38 34 64 37 39 31 0A 63 6F  
.dll,3184d791.co
490 : 6D 63 74 6C 33 32 2E 64 6C 6C 2C 36 66 65 38 38  
mctl32.dll,6fe88
4a0 : 32 31 63 0A 63 6F 6D 64 6C 67 33 32 2E 64 6C 6C  
21c.comdlg32.dll
4b0 : 2C 64 36 64 37 61 61 34 35 0A 63 6F 6D 6D 61 6E  
,d6d7aa45.comman
4c0 : 64 2E 63 6F 6D 2C 65 38 64 33 30 30 38 61 0A 63  
d.com,e8d3008a.c
4d0 : 6F 6D 70 62 61 74 74 2E 73 79 73 2C 37 34 35 37  
ompbatt.sys,7457
4e0 : 61 63 39 62 2C 64 66 61 38 64 38 38 30 0A 63 6F  
ac9b,dfa8d880.co
4f0 : 6D 70 66 69 6C 74 2E 64 6C 6C 2C 66 36 61 62 64  
mpfilt.dll,f6abd
500 : 30 33 65 0A 63 6F 6D 73 65 74 75 70 2E 64 6C 6C  
03e.comsetup.dll
510 : 2C 31 66 61 37 64 30 66 39 0A 63 6F 6D 73 76 63  
,1fa7d0f9.comsvc
520 : 73 2E 64 6C 6C 2C 35 62 34 65 62 36 66 30 0A 63  
s.dll,5b4eb6f0.c
530 : 6F 6D 75 69 64 2E 64 6C 6C 2C 35 37 30 63 36 61  
omuid.dll,570c6a
540 : 64 35 0A 63 6F 6E 66 2E 61 64 6D 2C 65 33 39 66  
d5.conf.adm,e39f
550 : 32 38 61 64 0A 63 6F 6E 66 2E 65 78 65 2C 63 62  
28ad.conf.exe,cb
560 : 35 37 62 33 31 38 0A 63 6F 6E 66 6D 73 70 2E 64  
57b318.confmsp.d
570 : 6C 6C 2C 64 65 39 32 63 31 38 65 0A 63 6F 6E 69  
ll,de92c18e.coni
580 : 6D 65 2E 65 78 65 2C 35 30 62 64 62 35 62 36 0A  
me.exe,50bdb5b6.
590 : 63 6F 6E 74 72 6F 6C 2E 65 78 65 2C 39 64 61 34  
control.exe,9da4
5a0 : 32 30 35 66 0A 63 6F 6E 74 72 6F 74 2E 64 6C 6C  
205f.controt.dll
5b0 : 2C 62 33 65                                       ,b3e
length = 1460

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas

=== message truncated ===


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: Tablet PC.  
Does your code think in ink? You could win a Tablet PC. 
Get a free Tablet PC hat just for playing. What are you waiting for? 
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

What is this packet? Going to M$ Paul Schmehl (Mar 19)
- Re: What is this packet? Going to M$ Matt Kettler (Mar 19)
- Re: What is this packet? Going to M$ twig les (Mar 20)
- <Possible follow-ups>
- Re: What is this packet? Going to M$ Kenton Smith (Mar 20)