Snort mailing list archives
Re: What is this packet? Going to M$
From: twig les <twigles () yahoo com>
Date: Thu, 20 Mar 2003 09:18:42 -0800 (PST)
I'm not sure how well it would work but you could start digging and block all outbound connections to M$ IP ranges. This will break things like the update mechanism (if you can break something that's already broken) and people won't be able to surf Microsoft's site. I think I'll try this at my home office and leave one bsd box open to dl patches (and patches and patches and ...). If you're curious ping me privately in a week or so to find out how goes it. --- Paul Schmehl <pauls () utdallas edu> wrote:
This is a packet going from a host on our network to port 80 at 207.46.131.156 which is ntservicepack.microsoft.com. I've seen these pretty regularly, and I'm wondering if anyone else is seeing them as well? Appears to me that M$ is taking inventory....... length = 1460 000 : 37 30 38 39 39 38 33 0A 61 78 70 65 72 66 2E 69 7089983.axperf.i 010 : 6E 69 0A 62 61 73 65 73 72 76 2E 64 6C 6C 2C 32 ni.basesrv.dll,2 020 : 62 34 66 65 32 38 39 0A 62 61 74 6D 65 74 65 72 b4fe289.batmeter 030 : 2E 64 6C 6C 2C 37 32 38 64 64 33 37 39 0A 62 61 .dll,728dd379.ba 040 : 74 74 63 2E 73 79 73 2C 31 63 31 38 33 61 65 38 ttc.sys,1c183ae8 050 : 2C 66 61 32 36 38 35 37 39 0A 62 69 6E 6C 73 76 ,fa268579.binlsv 060 : 63 2E 64 6C 6C 2C 31 34 31 39 39 63 36 31 0A 62 c.dll,14199c61.b 070 : 72 65 65 63 65 6D 63 2E 73 79 73 2C 37 64 37 31 reecemc.sys,7d71 080 : 37 36 37 63 2C 65 64 62 33 65 65 37 34 0A 62 72 767c,edb3ee74.br 090 : 6F 74 68 65 72 2E 64 6C 6C 2C 31 39 34 33 30 34 other.dll,194304 0a0 : 34 38 0A 62 72 6F 74 68 75 69 2E 64 6C 6C 2C 37 48.brothui.dll,7 0b0 : 62 65 38 31 32 35 30 2C 38 38 63 36 31 39 31 33 be81250,88c61913 0c0 : 0A 62 72 6F 77 73 63 61 70 2E 64 6C 6C 2C 35 61 .browscap.dll,5a 0d0 : 38 62 38 39 66 37 0A 62 72 6F 77 73 65 6C 63 2E 8b89f7.browselc. 0e0 : 64 6C 6C 2C 66 30 64 37 34 39 36 30 0A 62 72 6F dll,f0d74960.bro 0f0 : 77 73 65 72 2E 64 6C 6C 2C 33 34 36 62 30 35 66 wser.dll,346b05f 100 : 65 0A 62 72 6F 77 73 65 75 69 2E 64 6C 6C 2C 34 e.browseui.dll,4 110 : 33 32 37 62 33 33 62 0A 63 5F 69 73 32 30 32 32 327b33b.c_is2022 120 : 2E 64 6C 6C 2C 31 35 32 38 38 65 30 34 0A 63 61 .dll,15288e04.ca 130 : 63 6C 73 2E 65 78 65 2C 31 63 66 34 37 31 35 39 cls.exe,1cf47159 140 : 0A 63 61 6C 6C 63 6F 6E 74 2E 64 6C 6C 2C 62 39 .callcont.dll,b9 150 : 62 62 66 62 62 61 0A 63 61 74 73 72 76 2E 64 6C bbfbba.catsrv.dl 160 : 6C 2C 62 39 61 33 62 66 32 35 0A 63 61 74 73 72 l,b9a3bf25.catsr 170 : 76 75 74 2E 64 6C 6C 2C 31 30 39 38 31 65 35 65 vut.dll,10981e5e 180 : 0A 63 64 66 73 2E 73 79 73 2C 65 62 30 61 32 30 .cdfs.sys,eb0a20 190 : 35 63 0A 63 64 66 76 69 65 77 2E 64 6C 6C 2C 31 5c.cdfview.dll,1 1a0 : 63 32 33 62 63 63 33 0A 63 64 6D 2E 64 6C 6C 2C c23bcc3.cdm.dll, 1b0 : 62 30 34 31 63 65 35 32 0A 63 64 6D 6F 64 65 6D b041ce52.cdmodem 1c0 : 2E 64 6C 6C 0A 63 64 6F 6E 74 73 2E 64 6C 6C 2C .dll.cdonts.dll, 1d0 : 32 39 31 61 34 38 62 33 0A 63 64 6F 73 79 73 2E 291a48b3.cdosys. 1e0 : 64 6C 6C 2C 34 36 62 32 64 66 39 36 0A 63 64 72 dll,46b2df96.cdr 1f0 : 6F 6D 2E 73 79 73 2C 35 63 36 32 66 33 35 64 0A om.sys,5c62f35d. 200 : 63 65 72 74 63 6C 69 2E 64 6C 6C 2C 30 63 63 66 certcli.dll,0ccf 210 : 63 37 36 61 0A 63 65 72 74 6D 61 70 2E 6F 63 78 c76a.certmap.ocx 220 : 2C 66 34 35 33 31 34 30 62 0A 63 65 72 74 6D 67 ,f453140b.certmg 230 : 72 2E 64 6C 6C 2C 66 38 36 38 39 38 61 34 0A 63 r.dll,f86898a4.c 240 : 65 72 74 72 71 62 69 2E 61 73 70 0A 63 65 72 74 ertrqbi.asp.cert 250 : 72 71 6D 61 2E 61 73 70 0A 63 65 72 74 77 69 7A rqma.asp.certwiz 260 : 2E 6F 63 78 2C 64 32 32 34 62 61 32 64 0A 63 66 .ocx,d224ba2d.cf 270 : 67 77 69 7A 2E 65 78 65 2C 66 33 35 66 62 35 36 gwiz.exe,f35fb56 280 : 65 0A 63 68 6B 64 73 6B 2E 65 78 65 2C 33 38 37 e.chkdsk.exe,387 290 : 66 34 39 66 37 0A 63 68 6B 6E 74 66 73 2E 65 78 f49f7.chkntfs.ex 2a0 : 65 2C 30 35 30 35 66 36 39 62 0A 63 69 61 64 6D e,0505f69b.ciadm 2b0 : 69 6E 2E 64 6C 6C 2C 37 35 66 64 33 30 36 36 0A in.dll,75fd3066. 2c0 : 63 69 6D 77 69 6E 33 32 2E 64 6C 6C 2C 39 65 65 cimwin32.dll,9ee 2d0 : 61 33 31 34 64 0A 63 69 70 68 65 72 2E 65 78 65 a314d.cipher.exe 2e0 : 2C 65 36 37 66 30 33 64 37 0A 63 6C 61 73 73 65 ,e67f03d7.classe 2f0 : 73 2E 63 65 72 0A 63 6C 61 73 73 65 73 2E 7A 69 s.cer.classes.zi 300 : 70 0A 63 6C 61 73 73 70 6E 70 2E 73 79 73 2C 39 p.classpnp.sys,9 310 : 66 31 37 35 33 65 34 0A 63 6C 62 63 61 74 65 78 f1753e4.clbcatex 320 : 2E 64 6C 6C 2C 32 35 64 62 37 34 38 64 0A 63 6C .dll,25db748d.cl 330 : 62 63 61 74 71 2E 64 6C 6C 2C 62 66 32 64 34 62 bcatq.dll,bf2d4b 340 : 35 34 0A 63 6C 75 73 61 70 69 2E 64 6C 6C 2C 30 54.clusapi.dll,0 350 : 33 32 31 38 33 64 62 0A 63 6C 75 73 69 69 73 34 32183db.clusiis4 360 : 2E 64 6C 6C 0A 63 6C 75 73 74 65 72 2E 65 78 65 .dll.cluster.exe 370 : 2C 37 32 66 34 61 35 35 61 0A 63 6D 62 61 74 74 ,72f4a55a.cmbatt 380 : 2E 73 79 73 2C 35 61 30 61 36 64 64 66 2C 30 30 .sys,5a0a6ddf,00 390 : 35 39 33 36 34 65 0A 63 6D 64 2E 65 78 65 2C 32 59364e.cmd.exe,2 3a0 : 36 31 61 34 35 63 33 0A 63 6D 64 69 61 6C 33 32 61a45c3.cmdial32 3b0 : 2E 64 6C 6C 2C 63 34 66 33 36 34 65 63 0A 63 6D .dll,c4f364ec.cm 3c0 : 6E 71 75 65 72 79 2E 64 6C 6C 2C 61 37 38 30 39 nquery.dll,a7809 3d0 : 32 32 61 0A 63 6D 70 72 6F 70 73 2E 64 6C 6C 2C 22a.cmprops.dll, 3e0 : 65 64 66 33 65 66 32 31 0A 63 6D 73 74 70 2E 65 edf3ef21.cmstp.e 3f0 : 78 65 2C 61 35 36 35 34 36 30 37 0A 63 6D 75 74 xe,a5654607.cmut 400 : 69 6C 2E 64 6C 6C 2C 38 36 62 66 39 31 65 62 0A il.dll,86bf91eb. 410 : 63 6E 66 67 70 72 74 73 2E 6F 63 78 2C 38 63 39 cnfgprts.ocx,8c9 420 : 38 65 30 32 30 0A 63 6E 76 66 61 74 2E 64 6C 6C 8e020.cnvfat.dll 430 : 2C 31 30 39 62 65 38 66 66 0A 63 6F 61 64 6D 69 ,109be8ff.coadmi 440 : 6E 2E 64 6C 6C 2C 38 65 33 63 34 30 61 61 0A 63 n.dll,8e3c40aa.c 450 : 6F 6C 62 61 63 74 2E 64 6C 6C 2C 36 64 39 39 35 olbact.dll,6d995 460 : 63 63 64 0A 63 6F 6D 61 64 6D 69 6E 2E 64 6C 6C ccd.comadmin.dll 470 : 2C 36 30 35 39 64 31 63 36 0A 63 6F 6D 63 61 74 ,6059d1c6.comcat 480 : 2E 64 6C 6C 2C 33 31 38 34 64 37 39 31 0A 63 6F .dll,3184d791.co 490 : 6D 63 74 6C 33 32 2E 64 6C 6C 2C 36 66 65 38 38 mctl32.dll,6fe88 4a0 : 32 31 63 0A 63 6F 6D 64 6C 67 33 32 2E 64 6C 6C 21c.comdlg32.dll 4b0 : 2C 64 36 64 37 61 61 34 35 0A 63 6F 6D 6D 61 6E ,d6d7aa45.comman 4c0 : 64 2E 63 6F 6D 2C 65 38 64 33 30 30 38 61 0A 63 d.com,e8d3008a.c 4d0 : 6F 6D 70 62 61 74 74 2E 73 79 73 2C 37 34 35 37 ompbatt.sys,7457 4e0 : 61 63 39 62 2C 64 66 61 38 64 38 38 30 0A 63 6F ac9b,dfa8d880.co 4f0 : 6D 70 66 69 6C 74 2E 64 6C 6C 2C 66 36 61 62 64 mpfilt.dll,f6abd 500 : 30 33 65 0A 63 6F 6D 73 65 74 75 70 2E 64 6C 6C 03e.comsetup.dll 510 : 2C 31 66 61 37 64 30 66 39 0A 63 6F 6D 73 76 63 ,1fa7d0f9.comsvc 520 : 73 2E 64 6C 6C 2C 35 62 34 65 62 36 66 30 0A 63 s.dll,5b4eb6f0.c 530 : 6F 6D 75 69 64 2E 64 6C 6C 2C 35 37 30 63 36 61 omuid.dll,570c6a 540 : 64 35 0A 63 6F 6E 66 2E 61 64 6D 2C 65 33 39 66 d5.conf.adm,e39f 550 : 32 38 61 64 0A 63 6F 6E 66 2E 65 78 65 2C 63 62 28ad.conf.exe,cb 560 : 35 37 62 33 31 38 0A 63 6F 6E 66 6D 73 70 2E 64 57b318.confmsp.d 570 : 6C 6C 2C 64 65 39 32 63 31 38 65 0A 63 6F 6E 69 ll,de92c18e.coni 580 : 6D 65 2E 65 78 65 2C 35 30 62 64 62 35 62 36 0A me.exe,50bdb5b6. 590 : 63 6F 6E 74 72 6F 6C 2E 65 78 65 2C 39 64 61 34 control.exe,9da4 5a0 : 32 30 35 66 0A 63 6F 6E 74 72 6F 74 2E 64 6C 6C 205f.controt.dll 5b0 : 2C 62 33 65 ,b3e length = 1460 -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas
=== message truncated === ===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: Tablet PC. Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What is this packet? Going to M$ Paul Schmehl (Mar 19)
- Re: What is this packet? Going to M$ Matt Kettler (Mar 19)
- Re: What is this packet? Going to M$ twig les (Mar 20)
- <Possible follow-ups>
- Re: What is this packet? Going to M$ Kenton Smith (Mar 20)