Snort mailing list archives
Reppeated warnings
From: Manuel Balderrábano <garibolo () wanadoo es>
Date: Wed, 12 May 2004 11:36:58 +0200
Hi, list. I have been watching repeated access attempts to the firewall during a couple of days. The steps are all the same: [**] [1:1070:6] WEB-MISC WebDAV search access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] 05/11-12:41:17.335874 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1472 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83875ABE Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS474] [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] 05/11-12:41:17.335874 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1472 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83875ABE Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS474] [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] 05/11-12:41:17.336005 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1473 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x8387604A Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:17.813229 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1579 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x838765D6 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:17.819632 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1580 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83876B62 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:17.826552 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1581 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x838770EE Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:17.832957 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1582 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x8387767A Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.281985 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1660 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83877C06 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.288862 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1661 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83878192 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.295286 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1662 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x8387871E Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.302304 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1663 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x83878CAA Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.822478 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1791 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x8387A866 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] [**] [1:648:6] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 05/11-12:41:18.829314 ATACKER_IP:1262 -> FW_EXT_IP:80 TCP TTL:112 TOS:0x0 ID:1792 IpLen:20 DgmLen:1460 DF ***A**** Seq: 0x8387ADF2 Ack: 0x45C0D766 Win: 0x4290 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] This secuence repeats about 10 more times, from different IPs. I was wondering if this secuence matches any virus behaviour? Regards. -- --------------------------------------------------------------------------------- Manuel Balderrábano e-mail: garibolo () wanadoo es --------------------------------------------------------------------------------- ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Reppeated warnings Manuel Balderrábano (May 12)