Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Reppeated warnings

From: Manuel Balderrábano <garibolo () wanadoo es>
Date: Wed, 12 May 2004 11:36:58 +0200
Hi, list.

I have been watching repeated access attempts to the firewall during a couple 
of days.

The steps are all the same:

[**] [1:1070:6] WEB-MISC WebDAV search access [**]
[Classification: access to a potentially vulnerable web application] 
[Priority: 2]
05/11-12:41:17.335874 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1472 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83875ABE  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS474]

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
[Classification: access to a potentially vulnerable web application] 
[Priority: 2]
05/11-12:41:17.335874 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1472 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83875ABE  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS474]

[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
05/11-12:41:17.336005 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1473 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x8387604A  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:17.813229 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1579 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x838765D6  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:17.819632 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1580 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83876B62  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:17.826552 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1581 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x838770EE  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:17.832957 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1582 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x8387767A  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.281985 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1660 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83877C06  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.288862 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1661 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83878192  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.295286 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1662 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x8387871E  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.302304 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1663 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x83878CAA  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.822478 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1791 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x8387A866  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
05/11-12:41:18.829314 ATACKER_IP:1262 -> FW_EXT_IP:80
TCP TTL:112 TOS:0x0 ID:1792 IpLen:20 DgmLen:1460 DF
***A**** Seq: 0x8387ADF2  Ack: 0x45C0D766  Win: 0x4290  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]

This secuence repeats about 10 more times, from different IPs.

I was wondering if this secuence matches any virus behaviour?

Regards.

-- 
---------------------------------------------------------------------------------
Manuel Balderrábano

e-mail: garibolo () wanadoo es
---------------------------------------------------------------------------------



-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: