Snort mailing list archives
Re: Dropped packets again
From: rmkml <rmkml () yahoo fr>
Date: Wed, 24 Nov 2010 01:06:04 +0100 (CET)
Hi James, It is possible record your network trafic with tcpdump/tshark/wireshark/snort/daemonlogger... for testing please? (with full snap length of course) "restart" your snort and search if you have new alert for sid 17645? if yes, stop tcpdump, and search on your pcap with ipsrc/dst+portsrc/dst your snort alerts... ok? Regards Rmkml On Tue, 23 Nov 2010, Lay, James wrote:
Hey folks. So again...doing my job and I see a spat of sid 17645: 11/23-16:20:50.583059 [**] [1:4152:4] WEB-ACTIVEX Windows Media Player 6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580 11/23-16:20:50.625051 [**] [1:4152:4] WEB-ACTIVEX Windows Media Player 6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580 11/23-16:28:32.188567 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.937516 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.942511 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.948508 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.954510 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.959510 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.965509 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.971510 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:30:02.942794 [**] [1:15213010:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /OpenAction [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 -> 10.21.0.16:34763 11/23-16:30:02.942794 [**] [1:15213001:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 -> 10.21.0.16:34763 Checking my pcapdump file I get: 16:20:50.583059 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack 3547191753, win 65535, length 1400 16:20:50.625051 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack 1, win 65535, length 1400 16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack 1493254297, win 48593, length 1380 16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack 1, win 48593, length 1380 SID 17645 is completely missing. I recall sending this to the list a while ago...I've recompiled things..and still it seems certain SIDS seem left out of the packet captures. There are no errors on the interfaces...lot's of free memory, and CPU is pretty minimal. What else can I check? I'm I just out of luck now? Thanks. James Lay IT Security Analyst WinCo Foods 208-672-2014 Office 208-559-1855 Cell 650 N Armstrong Pl. Boise, Idaho 83704
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Dropped packets again Lay, James (Nov 26)
- Re: Dropped packets again rmkml (Nov 26)
- Re: Dropped packets again Joel Esler (Nov 26)