Snort mailing list archives
Re: Oddness with 16295
From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 11 Nov 2010 10:43:15 -0700
Bump...no takers on this? From: Lay, James [mailto:james.lay () wincofoods com] Sent: Wednesday, November 10, 2010 10:52 AM To: snort-users () lists sourceforge net Subject: Oddness with 16295 So this is weird....looking at this hit: 11/10-10:38:18.976338 [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385 Fairly certain it's an fp, but...when I hit the pcap dump file, it doesn't show....here's consecutive hits in the alert file: 11/10-10:37:25.096951 [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185 11/10-10:37:25.131950 [**] [1:12280:2] WEB-CLIENT VML source file memory corruption [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 67.23.129.249:80 -> 10.21.0.16:64185 11/10-10:38:18.976338 [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional fields [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 204.11.109.23:80 -> 10.21.0.16:64385 11/10-10:39:35.643464 [**] [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Priority: 3] {TCP} 10.21.0.16:64686 -> 66.211.180.40:80 And from the pcapfile: sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395 10:37:25.096951 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1081895485, win 4789, length 1400 10:37:25.131950 IP 67.23.129.249.80 > 10.21.0.16.64185: Flags [.], ack 1, win 4789, length 1400 10:39:35.643464 IP 10.21.0.16.64686 > 66.211.180.40.80: Flags [.], ack 2261207081, win 65535, length 536 So where did 16295 go? A quick check for that IP gives nothing: [10:48:24 jlay@goids:~/log$] sudo tcpdump -n -s 1524 -r internettcpdump.pcap.1289401395 ip and host 204.11.109.23 reading from file internettcpdump.pcap.1289401395, link-type EN10MB (Ethernet) [10:50:21 jlay@goids:~/log$] James Lay IT Security Analyst WinCo Foods 208-672-2014 Office 208-559-1855 Cell 650 N Armstrong Pl. Boise, Idaho 83704
------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Oddness with 16295 Lay, James (Nov 10)
- Re: Oddness with 16295 rmkml (Nov 10)
- Re: Oddness with 16295 James Lay (Nov 10)
- Re: Oddness with 16295 Lay, James (Nov 11)
- Re: Oddness with 16295 Joel Esler (Nov 11)
- Re: Oddness with 16295 rmkml (Nov 10)