Re: spurious .ida attempt detects

[Martin Roesch <roesch () sourcefire com>]

Hi Russel,
     What logging mode are you using?

     -Marty

Russell Fulton wrote:
> Hi,
>         I am running snort-1.8.1-RELEASE on a debian box.  For some
> time now I have been getting alerts for the '.ida attemp' but no
> packets were logged. I reported this a couple of weeks ago but I did
> not see any responses.
>
> I have just realised that there is something else odd about these
> alerts, the MAC addresses are both zero:
>
> [**] [1:1243:1] WEB-IIS ISAPI .ida attempt [**]
>  [Classification: Attempted Administrator Privilege Gain] [Priority: 10]
>  11/16-14:39:24.545389 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x24E
>  130.123.128.24:1754 -> 130.216.35.105:80 TCP TTL:240 TOS:0x10 ID:0
> IpLen:20 DgmLen:576
>  ***AP*** Seq: 0xCB6CF3A1 Ack: 0xE03784F8 Win: 0x7DA0 TcpLen: 20
>
> In this particular hour we logged 9 .ida alerts and none had packet
> data recorded (and all were also missing the MAC addresses).  Of these
> at least two were not code red (I can tell from the argus logs) and in
> one case I have verified with the server admin).
>
> Any ideas what is going on?
>
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users