Snort mailing list archives
Re: possible exploit
From: Robert T Wyatt <robert.wyatt () mail utexas edu>
Date: Thu, 16 Feb 2006 22:01:35 -0600
Robert T Wyatt wrote:
Frank Knobbe wrote:Your Snort didn't alert on that? Mine do all the time. It's SID 1250 (web-misc.rules). You might want to check your config to see if this rule file is loaded and to ensure you don't miss other sigs too.Patrick S. Harper wrote: > Old Cisco exploit. I saw a bunch of them not too long ago. > > http://isc.sans.org/diary.php?storyid=1104Thanks folks, I think it must have happened right when I was restarting snort after a rule update.I will watch for this in the future to ensure that my setup is correct.
My Snort is working fine; it really must have happened right as I was restarting the application that day.
[**] [1:1250:13] WEB-MISC Cisco IOS HTTP configuration attempt [**] [Classification: Web Application Attack] [Priority: 1] 02/16-17:31:44.420752 80.192.40.254:3763 -> 66.90.146.246:80 TCP TTL:112 TOS:0x0 ID:54368 IpLen:20 DgmLen:78 DF ***AP*** Seq: 0xFD838C6F Ack: 0xCC3D1484 Win: 0xFAF0 TcpLen: 20[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10700][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0537][Xref => http://www.securityfocus.com/bid/2936]
------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- possible exploit Robert T Wyatt (Feb 15)
- RE: possible exploit Patrick S. Harper (Feb 15)
- Re: possible exploit Frank Knobbe (Feb 15)
- Re: possible exploit Robert T Wyatt (Feb 15)
- Re: possible exploit Robert T Wyatt (Feb 16)
- Re: possible exploit Robert T Wyatt (Feb 15)