Re: Aurora Exploit Attempt Alert One Hour Delay

[James Lay <jlay () slave-tothe-box net>]

On 2014-01-23 15:22, Latonya Hall wrote:
> 01/23/14-10:21:11.663009 [**] [1:26569:3] BROWSER-IE Microsoft
> Internet Explorer null object access attempt [**] [Classification:
> Attempted User Privilege Gain] [Priority: 1] {TCP} 192.168.2.172:8080
> [18] -> 192.168.2.224:1081 [19]
> On Jan 23, 2014 5:09 PM, "Mike Miller" <mike () millertwinracing com
> [20]> wrote:
>
> > Whats the SID for the rule?
> >
> > On Thu, Jan 23, 2014 at 2:41 PM, Latonya Hall <lhall () vahna net [17]>
> > wrote:
> >
> > > I am tailing the file.
> > >
> > > On Jan 23, 2014 4:28 PM, "Mike Miller" <mike () millertwinracing com
> > > [16]> wrote:

For what it's worth I see this sometimes as well when tailing the .fast 
file...usually after a burst of alerts.  Interestingly the alert id in 
my sguil console shows the earlier alert incremented correctly.

James

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!