Snort mailing list archives
IDS254 False positive?
From: Bob Bernstein <bob () ruptured-duck com>
Date: Tue, 22 May 2001 14:06:11 -0400
This seems worth passing on:
From my snort alert file:
05/21/01-19:38:54.378223 [**] IDS254/ddos-shaft-client-to-handler [**]
152.163.180.24:80 -> nnn.my.ip.nnn:20432
05/21/01-19:38:54.421968 [**] IDS254/ddos-shaft-client-to-handler [**]
152.163.180.24:80 -> nnn.my.ip.nnn:20432
05/21/01-19:38:54.455919 [**] IDS254/ddos-shaft-client-to-handler [**]
152.163.180.24:80 -> nnn.my.ip.nnn:20432
05/21/01-19:38:54.478080 [**] IDS254/ddos-shaft-client-to-handler [**]
152.163.180.24:80 -> nnn.my.ip.nnn:20432
05/21/01-19:38:54.478154 [**] IDS254/ddos-shaft-client-to-handler [**]
152.163.180.24:80 -> nnn.my.ip.nnn:20432
But:
/var/log/snort# nslookup 152.163.180.24
Server: localhost
Address: 127.0.0.1
Name: ads.web.aol.com
Address: 152.163.180.24
Is there anything useful to be gleaned from the tcpdump of the packets?
Also, should something like this be passed along to whitehats.com or
someplace else?
--- snip ---
19:38:54.378223 152.163.180.24.80 > nnn.my.ip.nnn.20432: S
2715353362:2715353362(0) ack 21240968 win 16384 <mss 1360>
19:38:54.421968 152.163.180.24.80 > nnn.my.ip.nnn.20432: P 1:1056(1055) ack
155 win 16384
19:38:54.455919 4:47:0:0:0:0 0:0:0:0:45:10 ff06 1099:
77e2 98a3 b418 4102 c0df 0050 4fd0 1301
d9a1 1301 d9a1 5018 2111 cfc6 0000 4854
5450 2f31 2e30 2033 3032 2046 6f75 6e64
0d0a 5072 6167 6d61 3a20 6e6f 2d63 6163
6865 0d0a 4361 6368 652d 436f 6e74 726f
6c3a 206e 6f2d 6361 6368 650d 0a45 7870
6972 6573 3a20 4d6f 6e2c 2032 3120 4d61
7920 3230 3031 2032 333a 3338 3a35 3420
474d 540d 0a53 6574 2d43 6f6f 6b69 653a
2062 6164 7363 3d42 3076 4659 3432 704b
5557 3945 3441 2d4a 5959 6a71 4535 3665
6b5a 4b38 7268 6f50 4c38 616c 6873 3530
5669 5341 3448 6f6b 5435 3668 3666 6a62
6b4a 5751 666b 5a72 4438 685f 7869 7464
4563 7479 6339 5959 4f6e 6d7a 7172 636b
7a4e 334f 6751 7069 323b 7061 7468 3d2f
6c69 6e6b 2f37 3030 3937 3933 0d0a 4c6f
6361 7469 6f6e 3a20 6874 7470 3a2f 2f61
6473 2e77 6562 2e61 6f6c 2e63 6f6d 2f63
6f6e 7465 6e74 2f42 302f 302f 394d 6658
3358 3643 4f6d 6e4f 7356 4d47 574e 5952
5836 4d35 7669 5676 5169 5439 7039 3237
4879 7455 6863 7930 3836 6541 7536 5873
416b 6a5a 7a48 444c 6b52 3036 4e57 4164
6f6c 635f 5f70 6555 4c4e 745a 4b32 4345
6a51 3334 4433 4847 4e37 3867 6635 6549
6750 794a 4730 6324 2f61 6f6c 0d0a 4461
7465 3a20 4d6f 6e2c 2032 3120 4d61 7920
3230 3031 2032 333a 3338 3a35 3420 474d
540d 0a43 6f6e 7465 6e74 2d4c 656e 6774
683a 2035 3730 0d0a 436f 6e74 656e 742d
5479 7065 3a20 7465 7874 2f68 746d 6c0d
0a0d 0a3c 6874 6d6c 3e3c 6865 6164 3e3c
7469 746c 653e 5265 6469 7265 6374 696f
6e3c 2f74 6974 6c65 3e3c 2f68 6561 643e
3c62 6f64 793e 3c68 313e 5265 6469 7265
6374 696f 6e3c 2f68 313e 0d0a 3c68 723e
5468 6520 6c6f 6361 7469 6f6e 206f 6620
7468 6520 7265 7175 6573 7465 6420 5552
4c20 6861 7320 6d6f 7665 6420 746f 203c
6120 6872 6566 3d22 6874 7470 3a2f 2f61
6473 2e77 6562 2e61 6f6c 2e63 6f6d 2f63
6f6e 7465 6e74 2f42 302f 302f 394d 6658
3358 3643 4f6d 6e4f 7356 4d47 574e 5952
5836 4d35 7669 5676 5169 5439 7039 3237
4879 7455 6863 7930 3836 6541 7536 5873
416b 6a5a 7a48 444c 6b52 3036 4e57 4164
6f6c 635f 5f70 6555 4c4e 745a 4b32 4345
6a51 3334 4433 4847 4e37 3867 6635 6549
6750 794a 4730 6324 2f61 6f6c 223e 6874
7470 3a2f 2f61 6473 2e77 6562 2e61 6f6c
2e63 6f6d 2f63 6f6e 7465 6e74 2f42 302f
302f 394d 6658 3358 3643 4f6d 6e4f 7356
4d47 574e 5952 5836 4d35 7669 5676 5169
5439 7039 3237 4879 7455 6863 7930 3836
6541 7536 5873 416b 6a5a 7a48 444c 6b52
3036 4e57 4164 6f6c 635f 5f70 6555 4c4e
745a 4b32 4345 6a51 3334 4433 4847 4e37
3867 6635 6549 6750 794a 4730 6324 2f61
6f6c 3c2f 613e 2041 6e79 206d 6f64 6572
6e20 6272 6f77 7365 7220 7769 6c6c 2061
7574 6f6d 6174 6963 616c 6c79 2068 616e
646c 6520 6120 7265 6469 7265 6374 696f
6e20 666f 7220 796f 752e 2020 4966 2079
6f75 2061 7265 2072 6561 6469 6e67 2074
6869 7320 7061 6765 2c20 796f 7520 7368
6f75 6c64 2075 7067 7261 6465 2e3c 2f62
6f64 793e 3c2f 6874 6d6c 3e0d 0a
19:38:54.478080 152.163.180.24.80 > nnn.my.ip.nnn.20432: F 1056:1056(0) ack
155 win 16384
19:38:54.478154 152.163.180.24.80 > nnn.my.ip.nnn.20432: F 1056:1056(0) ack
156 win 16384
--- snip ---
Best regards,
--
Bob Bernstein
at
Esmond, R.I., USA
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IDS254 False positive? Bob Bernstein (May 22)
- RE: IDS254 False positive? Fernando Cardoso (May 22)
- <Possible follow-ups>
- RE: IDS254 False positive? Steve Halligan (May 22)
- Re: IDS254 False positive? Bob Bernstein (May 22)