NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-IDS> 2001-q2

From: Andrew (andrewnoc.ph)
Date: Wed May 23 2001 - 06:08:35 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My snort have lots of x86 NOPS alert. Below is a sample dump. Please help
me interpret this. I would also appreciate it very much if anybody can
point me to a site where snort log interpretation is explained.

[**] EXPLOIT x86 NOOP [**]
05/22-09:11:15.415698 0:1:2:24:42:3B -> 0:50:DA:63:B3:AF type:0x800
len:0x5EA
my.snort.machines.ip:20 -> my.nt.workstations.ip:2462 TCP TTL:64 TOS:0x0
ID:36431 IpLen:20 DgmLen:1500
***A**** Seq: 0x1DDC6CA3 Ack: 0x10CE4C Win: 0x4470 TcpLen: 20
8B 8D 4C FF FF FF 01 F9 B8 35 8F 46 9E F7 E9 89 ..L......5.F....
95 48 FF FF FF 01 CA 89 95 58 FF FF FF C1 BD 58 .H.......X.....X
FF FF FF 0F 89 CA C1 FA 1F 29 95 58 FF FF FF 83 .........).X....
EC 10 57 E8 3C 20 00 00 50 68 B4 24 00 00 8B 85 ..W.< ..Ph.$....
54 FF FF FF 50 E8 96 50 00 00 83 C4 1C 83 C4 F4 T...P..P........
8B 95 5C FF FF FF 52 E8 AC 20 00 00 50 68 B9 24 ..\...R.. ..Ph.$
00 00 8B 85 54 FF FF FF 50 E8 72 50 00 00 83 C4 ....T...P.rP....
1C 83 C4 F4 53 E8 8E 20 00 00 50 68 B9 24 00 00 ....S.. ..Ph.$..
8B 95 54 FF FF FF 52 E8 54 50 00 00 83 C4 1C 83 ..T...R.TP......
C4 F4 8B 85 58 FF FF FF 50 E8 6A 20 00 00 50 68 ....X...P.j ..Ph
B9 24 00 00 8B 95 54 FF FF FF 52 E8 30 50 00 00 .$....T...R.0P..
83 C4 1C 8B 85 50 FF FF FF 50 68 BE 24 00 00 8B .....P...Ph.$...
95 54 FF FF FF 52 E8 15 50 00 00 83 C4 10 8B B6 .T...R..P.......
A4 03 00 00 85 F6 0F 85 60 FE FF FF 83 C4 FC 68 ........`......h
30 FA 06 00 68 C2 24 00 00 8B 85 54 FF FF FF 50 0...h.$....T...P
E8 EB 4F 00 00 83 C4 F8 68 D6 24 00 00 8B 95 54 ..O.....h.$....T
FF FF FF 52 E8 D7 4F 00 00 83 C4 18 68 E5 24 00 ...R..O.....h.$.
00 8B 85 54 FF FF FF 50 E8 C3 4F 00 00 83 C4 F8 ...T...P..O.....
68 18 25 00 00 8B 95 54 FF FF FF 52 E8 AF 4F 00 h.%....T...R..O.
00 83 C4 20 83 3D 84 8B 00 00 01 75 17 83 C4 F8 ... .=.....u....
68 39 25 00 00 8B 85 54 FF FF FF 50 E8 8F 4F 00 h9%....T...P..O.
00 EB 10 90 83 C4 F4 8B 95 54 FF FF FF 52 E8 95 .........T...R..
4F 00 00 8D A5 28 FF FF FF 5B 5E 5F C9 C3 67 65 O....(...[^_..ge
74 74 69 6E 67 20 70 61 67 65 20 25 2D 33 30 73 tting page %-30s
20 25 73 0A 00 90 90 90 55 89 E5 83 EC 10 57 53 %s.....U.....WS
8B 5D 08 83 3D 7C 8B 00 00 01 75 1E 83 C4 FC 8D .]..=|....u.....
83 2C 01 00 00 50 8D 83 96 00 00 00 50 68 F2 31 .,...P......Ph.1
00 00 E8 99 4E 00 00 83 C4 10 BA C8 FA 06 00 89 ....N...........
D7 31 C0 FC B9 25 00 00 00 F3 AB 66 AB 83 C4 FC .1...%.....f....
68 95 00 00 00 8D 83 C2 01 00 00 50 52 E8 1E 4E h..........PR..N
00 00 83 C4 F8 6A 00 53 E8 6F 1C 00 00 83 C4 20 .....j.S.o.....
85 C0 7E 20 83 C4 F4 53 E8 EB 21 00 00 83 C4 F4 ..~ ...S..!.....
53 E8 52 22 00 00 83 C4 18 53 68 C0 8C 00 00 E8 S.R".....Sh.....
0C E8 FF FF 8D 65 E8 5B 5F C9 C3 90 55 89 E5 83 .....e.[_...U...
EC 0C 57 56 53 31 F6 90 31 FF 8B 1D 28 FA 06 00 ..WVS1..1...(...
85 DB 0F 84 1E 01 00 00 83 BB 98 03 00 00 00 0F ................
85 03 01 00 00 46 A1 20 8C 00 00 85 C0 74 19 39 .....F. .....t.9
C6 7C 15 83 C4 F4 6A 00 E8 63 F2 FF FF 83 C4 F4 .|....j..c......
6A 00 E8 91 4D 00 00 90 BF 01 00 00 00 C7 83 98 j...M...........
03 00 00 01 00 00 00 8B 83 84 03 00 00 83 F8 0C ................
0F 87 C2 00 00 00 FF 24 85 14 33 00 00 90 90 90 .......$..3.....
48 33 00 00 54 33 00 00 60 33 00 00 60 33 00 00 H3..T3..`3..`3..
6C 33 00 00 78 33 00 00 84 33 00 00 90 33 00 00 l3..x3...3...3..
9C 33 00 00 A8 33 00 00 B4 33 00 00 60 33 00 00 .3...3...3..`3..
C0 33 00 00 83 C4 F4 53 E8 BB FE FF FF EB 76 90 .3.....S......v.
83 C4 F4 53 E8 8B 0C 00 00 EB 6A 90 83 C4 F4 53 ...S......j....S
E8 77 08 00 00 EB 5E 90 83 C4 F4 53 E8 2B 1F 00 .w....^....S.+..
00 EB 52 90 83 C4 F4 53 E8 6F 23 00 00 EB 46 90 ..R....S.o#...F.
83 C4 F4 53 E8 E7 24 00 00 EB 3A 90 83 C4 F4 53 ...S..$...:....S
E8 EF 24 00 00 EB 2E 90 83 C4 F4 53 E8 F7 24 00 ..$........S..$.
00 EB 22 90 83 C4 F4 53 E8 FF 24 00 00 EB 16 90 .."....S..$.....
83 C4 F4 53 E8 07 25 00 00 EB 0A 90 83 C4 F4 53 ...S..%........S
E8 0F 25 00 00 83 C4 10 8B 9B A4 03 00 00 85 DB ..%.............
0F 85 E2 FE FF FF 85 FF 0F 85 CA FE FF FF 8D 65 ...............e
E8 5B 5E 5F C9 C3 6C 69 6E 6B 63 68 65 63 6B 20 .[^_..linkcheck
25 73 0A 00 55 89 E5 83 EC 14 53 8B 5D 08 83 C4 %s..U.....S.]...
F8 FF 35 6C 82 00 00 68 EA 33 00 00 E8 BF 4C 00 ..5l...h.3....L.
00 83 C4 10 83 FB 01 75 0B 83 C4 F4 6A 00 E8 55 .......u....j..U
4C 00 00 90 8B 5D E8 C9 C3 90 90 90 90 90 90 90 L....]..........
90 90 90 90 55 73 61 67 65 3A 20 6C 69 6E 6B 63 ....Usage: linkc
68 65 63 6B 20 5B 6F 70 74 69 6F 6E 73 5D 20 55 heck [options] U
52 4C 0A 00 4F 70 74 69 6F 6E 73 3A 0A 00 90 90 RL..Options:....
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 20 20 2D 56 2C 20 2D 2D 76 65 72 73 .... -V, --vers
69 6F 6E 20 20 20 20 20 20 20 20 20 56 45 52 53 ion VERS
49 4F 4E 2C 20 70 72 69 6E 74 73 20 76 65 72 73 ION, prints vers
69 6F 6E 20 6E 75 6D 62 65 72 20 74 6F 20 73 63 ion number to sc
72 65 65 6E 2E 00 90 90 90 90 90 90 90 90 90 90 reen............
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 20 20 2D 68 2C 20 2D 2D 68 65 6C 70 .... -h, --help
20 20 20 20 20 20 20 20 20 20 20 20 48 45 4C 50 HELP
2C 20 70 72 69 6E 74 73 20 74 68 69 73 20 73 65 , prints this se
63 74 69 6F 6E 2E 00 90 90 90 90 90 90 90 90 90 ction...........
90 90 90 90 20 20 2D 76 2C 20 2D 2D 76 65 72 62 .... -v, --verb
6F 73 65 20 20 20 20 20 20 20 20 20 56 45 52 42 ose VERB
4F 53 45 2C 20 70 72 69 6E 74 73 20 6E 6F 74 69 OSE, prints noti
66 69 63 61 74 69 6F 6E 20 74 6F 20 73 63 72 65 fication to scre
65 6E 2E 00 20 20 2D 66 2C 20 2D 2D 66 69 6C 65 en.. -f, --file
3D 46 49 4C 45 20 20 20 20 20 20 20 46 49 4C 45 =FILE FILE
2C 20 63 68 61 6E 67 65 20 74 68 65 20 6F 75 74 , change the out
70 75 74 20 66 69 6C 65 20 74 6F 20 46 49 4C 45 put file to FILE
2E 00 90 90 20 20 2D 72 2C 20 2D 2D 72 65 6D 6F .... -r, --remo
74 65 20 20 20 20 20 20 20 20 20 20 52 45 4D 4F te REMO
54 45 2C 20 64 6F 20 6E 6F 74 20 63 68 65 63 6B TE, do not check
20 72 65 6D 6F 74 65 20 73 69 74 65 73 20 28 72 remote sites (r
75 6E 73 20 66 61 73 74 65 72 29 00 90 90 90 90 uns faster).....
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................
90 90 90 90 20 20 2D 70 2C 20 2D 2D 70 6F 72 74 .... -p, --port
3D 50 4F 52 54 20 20 20 20 20 20 20 50 4F 52 54 =PORT PORT
2C 20 63 68 61 6E 67 65 20 66 72 6F 6D 20 73 74 , change from st
61 6E 64 61 72 64 20 68 74 74 70 20 70 6F 72 74 andard http port
20 38 30 20 80

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]