Snort mailing list archives
Re: Dropped packets again
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 23 Nov 2010 21:02:07 -0500
James, Thanks for writing in, we'll take a look. Anyway you can pass us a full-session pcap of the activity? I don't know if you do full packet capture as well, but if you could send us that, that'd be the way to go so we can research this properly. Thanks. Joel On Nov 23, 2010, at 6:44 PM, Lay, James wrote:
Hey folks. So again...doing my job and I see a spat of sid 17645: 11/23-16:20:50.583059 [**] [1:4152:4] WEB-ACTIVEX Windows Media Player 6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580 11/23-16:20:50.625051 [**] [1:4152:4] WEB-ACTIVEX Windows Media Player 6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580 11/23-16:28:32.188567 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.937516 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.942511 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.948508 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.954510 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.959510 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.965509 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:28:32.971510 [**] [1:17645:1] WEB-CLIENT Microsoft Internet Explorer CSS strings parsing memory corruption attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 149.136.20.26:80 -> 10.21.0.16:34645 11/23-16:30:02.942794 [**] [1:15213010:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /OpenAction [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 -> 10.21.0.16:34763 11/23-16:30:02.942794 [**] [1:15213001:1] ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 -> 10.21.0.16:34763 Checking my pcapdump file I get: 16:20:50.583059 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack 3547191753, win 65535, length 1400 16:20:50.625051 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack 1, win 65535, length 1400 16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack 1493254297, win 48593, length 1380 16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack 1, win 48593, length 1380 SID 17645 is completely missing. I recall sending this to the list a while ago...I've recompiled things..and still it seems certain SIDS seem left out of the packet captures. There are no errors on the interfaces...lot's of free memory, and CPU is pretty minimal. What else can I check? I'm I just out of luck now? Thanks. James Lay IT Security Analyst WinCo Foods 208-672-2014 Office 208-559-1855 Cell 650 N Armstrong Pl. Boise, Idaho 83704 <winmail.dat>------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Dropped packets again Lay, James (Nov 26)
- Re: Dropped packets again rmkml (Nov 26)
- Re: Dropped packets again Joel Esler (Nov 26)