Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RFC: SHELLCODE and WEDAV alerts

From: "Michael Shirk" <shirkdog_linux () hotmail com>
Date: Thu, 18 Mar 2004 10:56:30 -0500
Here is the activity that I have been seeing with no Explanation
Here are the first 12 alerts where the payload is 1460 of all (90) or . characters: 
SHELLCODE       x86     NOOP    3/15/2004       17:30:10
SHELLCODE       x86     NOOP    3/15/2004       17:30:10
SHELLCODE       x86     NOOP    3/15/2004       17:30:10
SHELLCODE       x86     NOOP    3/15/2004       17:30:10
SHELLCODE       x86     NOOP    3/15/2004       17:30:10
SHELLCODE       x86     NOOP    3/15/2004       17:30:10
SHELLCODE       x86     NOOP    3/15/2004       17:30:10
SHELLCODE       x86     NOOP    3/15/2004       17:30:10
SHELLCODE       x86     NOOP    3/15/2004       17:30:10
SHELLCODE       x86     NOOP    3/15/2004       17:30:10
SHELLCODE       x86     NOOP    3/15/2004       17:30:10
SHELLCODE       x86     NOOP    3/15/2004       17:30:10

Then I get one WEBDAV alert with a payload of 1460:
WEB-MISC WebDAV searchaccess    3/15/2004       17:30:10

Which contains the following String:

SEARCH /
Followed by 90 or . characters. I have not seen any viruses of this nature and it is either a terrible false positive or some kind of script. I have seen different sources with the same exact pattern. I am going to right a rule for this but wondering if anyone has seen the things in THEIR LOGS 

Regards,
Shirkdog

http://www.shirkdog.us

_________________________________________________________________
Get tax tips, tools and access to IRS forms – all in one place at MSN Money! http://moneycentral.msn.com/tax/home.asp 



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: