SRC x DST address after packet reassembly

["Marcus Rocha" <mvrocha () brfree com br>]

Hi,

some days ago I got shocked after looking at my alerts. I had just received
a single "EMF - Code Red worm got you". After checking, doublechecking, crosschecking
and verifying everithing I could (logs, known tracks of infection), I came to
the conclusion that it was a false alert. I could not find any other such alerts
and could not find any evidence that this webserver was trying to send any outbond
probes (my firewall would block any outbount traffic anyway...)

It seams to me that, after packet reassembly, SRC and DST address had been exchanged.
I'm using snort 1.8b1, which is not the most up-to-date I can get... The excerpt
of my alerts follow (XXX.XXX.XXX.XXX is the offending host, *.*.*.* is my webserver).


I would appretiate any ideas that would help me get a better sleep!

Regards,
Marcus


====================================================================


[**] [1:0:0] IDS296/web-misc_http-whisker-splicing-attack-space [**]
[Classification: suspicious miscellaneous traffic] [Priority: 1]
08/08-01:57:54.761539 XXX.XXX.XXX.XXX:2035 -> *.*.*.*:80
TCP TTL:104 TOS:0x0 ID:34194 IpLen:20 DgmLen:44 DF
***AP*** Seq: 0xF7939297  Ack: 0x31F8D477  Win: 0x4470  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS296]

[**] [1:0:0] CodeRed Word Overflow Sent [**]
08/08-01:57:54.810443 XXX.XXX.XXX.XXX:2035 -> *.*.*.*:80
TCP TTL:104 TOS:0x0 ID:34195 IpLen:20 DgmLen:1500 DF
***AP*** Seq: 0xF793929B  Ack: 0x31F8D477  Win: 0x4470  TcpLen: 20

[**] [1:0:0] IDS243/web-cgi_http-cgi-pipe [**]
[Classification: system integrity attempt] [Priority: 11]
08/08-01:57:55.821838 XXX.XXX.XXX.XXX:2035 -> *.*.*.*:80
TCP TTL:104 TOS:0x0 ID:34228 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xF793984F  Ack: 0x31F8D477  Win: 0x4470  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS243]

[**] [1:0:0] CodeRed Word Defacement Sent [**]
08/08-01:57:55.840627 XXX.XXX.XXX.XXX:2035 -> *.*.*.*:80
TCP TTL:104 TOS:0x0 ID:34229 IpLen:20 DgmLen:1155 DF
***AP*** Seq: 0xF7939E03  Ack: 0x31F8D477  Win: 0x4470  TcpLen: 20

[**] [1:0:0] EMF - Code Red worm got you [**]
08/08-01:57:55.843058 *.*.*.*:80 -> XXX.XXX.XXX.XXX:2035
TCP TTL:127 TOS:0x0 ID:46242 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x31F8D477  Ack: 0xF793A25E  Win: 0x2238  TcpLen: 20
-------------------------------
http://www.brfree.com.br - O primeiro provedor gratuito do Brasil

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users