Snort mailing list archives
Re: Interesting alerts.
From: John Sage <jsage () finchhaven com>
Date: Sun, 8 Sep 2002 11:41:09 -0700
Jeremy: On Thu, Sep 05, 2002 at 03:17:52PM -0700, Jeremy Junginger wrote:
I'm in the process of grooming an IDS, and came across some interesting alerts...about 18,000 of them. I am considering "grooming" this alert out, but would like to understand the traffic. Please provide any insights you may have. I have intentionally left the source IP intact, as it is the external IP that the box is connecting to. Let me know what you think. Thanks, ------------------------------------------------------------------------ #(1 - 44731) [2002-09-05 12:38:18] [Bugtraq/4006] DOS MSDTC attempt IPv4: 66.28.151.197 -> x.x.x.118 hlen=5 TOS=0 dlen=1500 ID=37730 flags=0 offset=0 TTL=107 chksum=48209 TCP: port=80 -> dport: 3372 flags=***A**** seq=2626793598 ack=3945314208 off=5 res=0 win=16947 urp=0 chksum=34845 Payload: length = 1460 000 : 43 2B 88 61 6B 80 AB B3 E5 76 5E 50 F8 34 07 41 C+.ak....v^P.4.A 010 : A3 09 9C 0A 14 87 E1 89 58 0A BC 00 A4 07 59 CB ........X.....Y. 020 : 40 D4 66 E0 58 2C 90 14 AA AF 00 AD 29 1A 82 D9 @.f.X,......)... 030 : D0 95 71 1B 11 22 80 60 48 0D 28 34 FC 5F 49 5C ..q..".`H.(4._I\
<snippage> The rule *did* match: [toot@sparky /home/www/html/sys_docs/snort187]# grep 4006 * dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos; sid:1408; rev:5;) But... So, yes, the destination port *was* 3372 and the dsize *was* > 1024; but, given that the source port is 80, one immediately wonders about http traffic. The packet payload looks a lot like an img (jpeg, gif..) file, or a binary... Let's see: [toot@sparky /]# host 66.28.151.197 Host 197.151.28.66.in-addr.arpa. not found: 3(NXDOMAIN) [toot@sparky /etc/rc.d/init.d]# lynx -head -dump http://66.28.151.197/ HTTP/1.1 200 OK Date: Sun, 08 Sep 2002 18:17:02 GMT Server: GameSpy-XFS/1.0 Connection: close Content-Type: text/html Accept-Ranges: bytes Cache-Control: no-cache "GameSpy"? hmm.. [toot@sparky /]# lynx http://66.28.151.197/ FilePlanet Download System - _ FilePlanet Download System Currently Downloading 200 /200 Waiting to Download 238 Estimated Wait 59 minutes This public server is full! You can wait in line for an open slot. Let's Go [BUTTON] Why do public servers have lines? YOU DON'T HAVE TO WAIT! Subscribe to FilePlanet Get INSTANT access to dedicated, HIGH-SPEED servers without advertisements! advertisement Clicking on or refreshing an ad will not disrupt your place in line. whois? Registrant: Critical Mass Gaming Systems (FILEPLANET-DOM) 2900 S. Bristol St., Suite E204 Costa Mesa, CA 92626-7908 US Domain Name: FILEPLANET.COM Administrative Contact, Technical Contact: Andrea Bruns (CMN2-ORG)hostmaster () GAMESPY COM GameSpy Industries 18002 Skypark Circle Irvine, CA 92614-6429 US 949-798-4200 Fax- 949-798-4299 Fax- - 949-798-4299 Record expires on 09-Dec-2002. Record created on 08-Dec-1997. Database last updated on 8-Sep-2002 14:35:58 EDT. Domain servers in listed order: NS.GAMESPY.COM 207.38.0.10 NS2.GAMESPY.COM 207.38.0.11 Ring any bells? Somebody downloading games on your network? - John -- "In those days, you could not buy a $2000 200MHz Pentium server." PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Interesting alerts. Jeremy Junginger (Sep 08)
- Re: Interesting alerts. John Sage (Sep 08)