Snort mailing list archives
Re: Snort alerts caused by possible legit traffic?
From: John Sage <jsage () finchhaven com>
Date: Sat, 7 Jun 2003 12:02:22 -0700
On Sat, Jun 07, 2003 at 03:54:48AM -0400, NismoSkyline wrote:
Alot of machines using the same ISP as me, have been setting off snort like shown below. Is it possible this is legit traffic? [**] [1:1002:5] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 06/06-05:46:18.582271 attackerIP:2074 -> myIP:80 TCP TTL:117 TOS:0x0 ID:2119 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x235969AC Ack: 0xAB4D7465 Win: 0x4470 TcpLen: 20
No. Just extremely common. Given: [jsage@tweedle /usr/local/snort-2.0.0/rules] $ grep 'WEB-IIS cmd.exe' * web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;) You get different variations on: input: snort.log-May.26.16:04 filter: ip and ( dst port 80 ) match: cmd.exe ############## T 2003/05/25 16:12:12.696621 12.216.246.144:1482 -> 12.82.128.43:80 [AP] 47 45 54 20 2f 63 2f 77 69 6e 6e 74 2f 73 79 73 GET /c/winnt/sys 74 65 6d 33 32 2f 63 6d 64 2e 65 78 65 3f 2f 63 tem32/cmd.exe?/c 2b 64 69 72 20 48 54 54 50 2f 31 2e 30 0d 0a 48 +dir HTTP/1.0..H 6f 73 74 3a 20 77 77 77 0d 0a 43 6f 6e 6e 6e 65 ost: www..Connne 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a ction: close.... ###### by the billions... - John -- "You are in a twisty maze of weblogs, all alike." See our all-new look! http://www.finchhaven.com/ ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort alerts caused by possible legit traffic? NismoSkyline (Jun 07)
- Re: Snort alerts caused by possible legit traffic? John Sage (Jun 07)