Snort mailing list archives

Re: Dropped packets again

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 23 Nov 2010 21:02:07 -0500

James,

Thanks for writing in, we'll take a look.

Anyway you can pass us a full-session pcap of the activity?  I don't know if you do full packet capture as well, but if 
you could send us that, that'd be the way to go so we can research this properly.

Thanks.

Joel

On Nov 23, 2010, at 6:44 PM, Lay, James wrote:

Hey folks.



So again...doing my job and I see a spat of sid 17645:



11/23-16:20:50.583059  [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580

11/23-16:20:50.625051  [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580

11/23-16:28:32.188567  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.937516  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.942511  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.948508  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.954510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.959510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.965509  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:28:32.971510  [**] [1:17645:1] WEB-CLIENT Microsoft Internet
Explorer CSS strings parsing memory corruption attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
149.136.20.26:80 -> 10.21.0.16:34645

11/23-16:30:02.942794  [**] [1:15213010:1] ET WEB_CLIENT PDF Name
Representation Obfuscation of /OpenAction [**] [Classification:
Potentially Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 ->
10.21.0.16:34763

11/23-16:30:02.942794  [**] [1:15213001:1] ET WEB_CLIENT PDF Name
Representation Obfuscation of /Subtype [**] [Classification: Potentially
Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 -> 10.21.0.16:34763



Checking my pcapdump file I get:



16:20:50.583059 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack
3547191753, win 65535, length 1400

16:20:50.625051 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack 1,
win 65535, length 1400

16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
1493254297, win 48593, length 1380

16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
1, win 48593, length 1380



SID 17645 is completely missing.  I recall sending this to the list a
while ago...I've recompiled things..and still it seems certain SIDS seem
left out of the packet captures.  There are no errors on the
interfaces...lot's of free memory, and CPU is pretty minimal.  What else
can I check?  I'm I just out of luck now?  Thanks.



James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704



<winmail.dat>------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Dropped packets again Lay, James (Nov 26)
- Re: Dropped packets again rmkml (Nov 26)
- Re: Dropped packets again Joel Esler (Nov 26)