Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort alerts caused by possible legit traffic?

From: John Sage <jsage () finchhaven com>
Date: Sat, 7 Jun 2003 12:02:22 -0700
On Sat, Jun 07, 2003 at 03:54:48AM -0400, NismoSkyline wrote:

Alot of machines using the same ISP as me, have been setting off snort like shown below. Is it possible this is legit 
traffic?

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
06/06-05:46:18.582271 attackerIP:2074 -> myIP:80
TCP TTL:117 TOS:0x0 ID:2119 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x235969AC  Ack: 0xAB4D7465  Win: 0x4470  TcpLen: 20


No. Just extremely common.

Given:

[jsage@tweedle /usr/local/snort-2.0.0/rules] $ grep 'WEB-IIS cmd.exe' *
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS cmd.exe access"; flow:to_server,established;
content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002;
rev:5;)

You get different variations on:

input: snort.log-May.26.16:04
filter: ip and ( dst port 80 )
match: cmd.exe
##############
T 2003/05/25 16:12:12.696621 12.216.246.144:1482 -> 12.82.128.43:80 [AP]
  47 45 54 20 2f 63 2f 77    69 6e 6e 74 2f 73 79 73    GET /c/winnt/sys
  74 65 6d 33 32 2f 63 6d    64 2e 65 78 65 3f 2f 63    tem32/cmd.exe?/c
  2b 64 69 72 20 48 54 54    50 2f 31 2e 30 0d 0a 48    +dir HTTP/1.0..H
  6f 73 74 3a 20 77 77 77    0d 0a 43 6f 6e 6e 6e 65    ost: www..Connne
  63 74 69 6f 6e 3a 20 63    6c 6f 73 65 0d 0a 0d 0a    ction: close....
######

by the billions...


- John
-- 
"You are in a twisty maze of weblogs, all alike."

See our all-new look! http://www.finchhaven.com/


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: