Snort mailing list archives

Re: Dropped packets again

From: rmkml <rmkml () yahoo fr>
Date: Wed, 24 Nov 2010 01:06:04 +0100 (CET)

Hi James,
It is possible record your network trafic with tcpdump/tshark/wireshark/snort/daemonlogger... for testing please? (with 
full snap length of course)
"restart" your snort and search if you have new alert for sid 17645?
if yes, stop tcpdump, and search on your pcap with ipsrc/dst+portsrc/dst your snort alerts...
ok?
Regards
Rmkml



On Tue, 23 Nov 2010, Lay, James wrote:

Hey folks.



So again...doing my job and I see a spat of sid 17645:



11/23-16:20:50.583059  [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580

11/23-16:20:50.625051  [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580

11/23-16:28:32.188567  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.937516  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.942511  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.948508  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.954510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.959510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.965509  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.971510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:30:02.942794  [**] [1:15213010:1] ET WEB_CLIENT PDF Name
Representation Obfuscation of /OpenAction [**] [Classification:
Potentially Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 ->
10.21.0.16:34763

11/23-16:30:02.942794  [**] [1:15213001:1] ET WEB_CLIENT PDF Name
Representation Obfuscation of /Subtype [**] [Classification: Potentially
Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 -> 10.21.0.16:34763



Checking my pcapdump file I get:



16:20:50.583059 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack
3547191753, win 65535, length 1400

16:20:50.625051 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack 1,
win 65535, length 1400

16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
1493254297, win 48593, length 1380

16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
1, win 48593, length 1380



SID 17645 is completely missing.  I recall sending this to the list a
while ago...I've recompiled things..and still it seems certain SIDS seem
left out of the packet captures.  There are no errors on the
interfaces...lot's of free memory, and CPU is pretty minimal.  What else
can I check?  I'm I just out of luck now?  Thanks.



James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704


------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Dropped packets again Lay, James (Nov 26)
- Re: Dropped packets again rmkml (Nov 26)
- Re: Dropped packets again Joel Esler (Nov 26)