Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Unusual http traffic

From: Kevin Brown <Kevin.M.Brown () asu edu>
Date: Mon, 22 Oct 2001 10:34:29 -0700
Do you have a rule in snort to catch a cmd.exe request?  If not and you
aren't using the http_decode preprocessor then that could be the reason.

-----Original Message-----
From: Fraser Hugh [mailto:hugh_fraser () dofasco ca]
Sent: Monday, October 22, 2001 10:28
To: snort-users () lists sourceforge net
Subject: [Snort-users] Unusual http traffic


I've been seeing the following URLs on our web server logs. They certainly
look suspicious.
 
GET
/`n@/..GetStartupInfoA..GetStartupInfoA..GetStartupInfoA..GetStartupInfo
A..GetStartupInfoA../winnt/system32/cmd.exe /c+dir 403 5 3135 133 15 - - -
-
GET
/`n@/..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue..TlsSetValue.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..GetVersion..GetVersion..GetVersion..GetVersion..GetVersion../win
nt/system32/cmd.exe /c+dir 403 5 3135 108 16 - - - -
GET
/`n@/..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue..TlsGetValue.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..SetLastError..SetLastError..SetLastError..SetLastError..SetLastE
rror../winnt/system32/cmd.exe /c+dir 403 5 3135 118 16 - - - -
GET
/`n@/..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey..RegCloseKey.
./winnt/system32/cmd.exe /c+dir 403 5 3135 113 16 - - - -
GET
/`n@/..LookupPrivilegeValueA..LookupPrivilegeValueA..LookupPrivilegeValue
A..LookupPrivilegeValueA..LookupPrivilegeValueA../winnt/system32/cmd.exe
/c+dir 403 5 3135 163 16 - - - -
 
Nothing's picked up by Snort or NFR. Any ideas?
-----Original Message-----
From: Syed Mohammad Talha [mailto:talha () cbq com qa]
Sent: Saturday, October 20, 2001 1:15 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] So many of false alerts


Hi,

I am getting so many of false alerts, like;

MISC source port 53 to <1024         7648
UDP scan                                               594
DNS zone transfer [arachNIDS]        396
TCP ******S* scan                                    291
Virus - Possible pif Worm                    197
and lots of more, can some one help me in reducing these.

Regards.
Talha

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: