Snort mailing list archives
Alert turns up as ftp_telnet
From: Brian Lavender <brian () brie com>
Date: Tue, 28 Aug 2007 11:36:19 -0700
At one point I was running snort and I was getting alerts that corresponeded directly to the exploit I attempted. Now, I get ftp_telnet alerts. What gives? http://downloads.securityfocus.com/vulnerabilities/exploits/wuftpd-2.6.0-exp2.c SNORT snort-2.6.1.5 /var/log/snort/alert (on 192.168.1.121) [**] [1:553:7] POLICY FTP anonymous login attempt [**] [Classification: Misc activity] [Priority: 3] 08/09-15:46:51.630779 192.168.1.121:54835 -> 192.168.1.136:21 TCP TTL:64 TOS:0x0 ID:3402 IpLen:20 DgmLen:62 DF ***AP*** Seq: 0x1E0C3C4B Ack: 0xB33C7309 Win: 0x5C TcpLen: 32 TCP Options (3) => NOP NOP TS: 1221541186 17773996 [**] [1:648:7] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 08/09-15:46:51.632771 192.168.1.121:54835 -> 192.168.1.136:21 TCP TTL:64 TOS:0x0 ID:3403 IpLen:20 DgmLen:457 DF ***AP*** Seq: 0x1E0C3C55 Ack: 0xB33C734D Win: 0x5C TcpLen: 32 TCP Options (3) => NOP NOP TS: 1221541188 17773996 [Xref => http://www.whitehats.com/info/IDS181] [**] [1:1972:16] FTP PASS overflow attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 08/09-15:46:51.632771 192.168.1.121:54835 -> 192.168.1.136:21 TCP TTL:64 TOS:0x0 ID:3403 IpLen:20 DgmLen:457 DF ***AP*** Seq: 0x1E0C3C55 Ack: 0xB33C734D Win: 0x5C TcpLen: 32 TCP Options (3) => NOP NOP TS: 1221541188 17773996 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0895][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0126][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1035][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1539][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1519][Xref => http://www.securityfocus.com/bid/9285][Xref => http://www.securityfocus.com/bid/8601][Xref => http://www.securityfocus.com/bid/3884][Xref => http://www.securityfocus.com/bid/1690][Xref => http://www.securityfocus.com/bid/10720][Xref => http://www.securityfocus.com/bid/10078] [**] [1:1748:8] FTP command overflow attempt [**] [Classification: Generic Protocol Command Decode] [Priority: 3] 08/09-15:46:51.632771 192.168.1.121:54835 -> 192.168.1.136:21 TCP TTL:64 TOS:0x0 ID:3403 IpLen:20 DgmLen:457 DF ***AP*** Seq: 0x1E0C3C55 Ack: 0xB33C734D Win: 0x5C TcpLen: 32 TCP Options (3) => NOP NOP TS: 1221541188 17773996 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0606][Xref => http://www.securityfocus.com/bid/4638] [**] [1:648:7] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 08/09-15:46:51.636024 192.168.1.136:21 -> 192.168.1.121:54835 TCP TTL:64 TOS:0x10 ID:143 IpLen:20 DgmLen:480 DF ***AP*** Seq: 0xB33C734D Ack: 0x1E0C3DEA Win: 0x7D78 TcpLen: 32 TCP Options (3) => NOP NOP TS: 17773997 1221541188 [Xref => http://www.whitehats.com/info/IDS181] [**] [1:361:15] FTP SITE EXEC attempt [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/09-15:47:01.637579 192.168.1.121:54835 -> 192.168.1.136:21 TCP TTL:64 TOS:0x0 ID:3406 IpLen:20 DgmLen:66 DF ***AP*** Seq: 0x1E0C3DEA Ack: 0xB33C7594 Win: 0x7D TcpLen: 32 TCP Options (3) => NOP NOP TS: 1221551192 17773999 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0955][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0080][Xref => http://www.securityfocus.com/bid/2241][Xref => http://www.whitehats.com/info/IDS317 Now I am getting alerts that look like this! 08/28-09:52:29.622502 [**] [125:6:1] <eth0> (ftp_telnet) FTP response message was too long [**] {TCP} 192.168.1.122:21 -> 192.168.1.114:53757 [2:830] [**] [125:3:1] (ftp_telnet) FTP command parameters were too long [**] 08/28-10:13:40.220803 192.168.1.114:41513 -> 192.168.1.122:21 TCP TTL:64 TOS:0x0 ID:20829 IpLen:20 DgmLen:457 DF ***AP*** Seq: 0x536DA099 Ack: 0xFA91F5D0 Win: 0x5C TcpLen: 32 TCP Options (3) => NOP NOP TS: 2843737552 237713562 08/28-10:13:40.220803 [**] [125:3:1] <eth0> (ftp_telnet) FTP command parameters were too long [**] {TCP} 192.168.1.114:41513 -> 192.168.1.122:21 [2:831] [**] [125:6:1] (ftp_telnet) FTP response message was too long [**] 08/28-10:13:40.221006 192.168.1.122:21 -> 192.168.1.114:41513 TCP TTL:64 TOS:0x10 ID:49325 IpLen:20 DgmLen:480 DF ***AP*** Seq: 0xFA91F5D0 Ack: 0x536DA22E Win: 0x36 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237713562 2843737552 08/28-10:13:40.221006 [**] [125:6:1] <eth0> (ftp_telnet) FTP response message was too long [**] {TCP} 192.168.1.122:21 -> 192.168.1.114:41513 [2:832] [**] [125:3:1] (ftp_telnet) FTP command parameters were too long [**] 08/28-10:13:54.079879 192.168.1.114:41514 -> 192.168.1.122:21 TCP TTL:64 TOS:0x0 ID:908 IpLen:20 DgmLen:457 DF ***AP*** Seq: 0x8E0F247D Ack: 0xFB57457A Win: 0x5C TcpLen: 32 TCP Options (3) => NOP NOP TS: 2843751410 237717027 -- Brian Lavender http://www.brie.com/brian/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert turns up as ftp_telnet Brian Lavender (Aug 28)