Hi,
Recently I have been logging a lot of "id command attempt" attacks. When I
examine the alert log, it looks very normal, with identified source and
destination ip addresses and tcp ports. However, when I look into the
packet, almost no relevant information seems to be there. If I look into
the "Trailer" information, I can see the data "fc 30 00 50" which I surmise
is the source and destination ports of 64560 and 80.

I am logging thousands of other packets daily and they are all showing up
very nicely in the tcpdump -- but not the packets from the "id command
attempt" type of attack. If these packets really don't contain my ip
address, how do they get to my server? Or is some sort of logging error? I
have watched the attacks increase in number and frequency over the last
several weeks and I am getting nervous...

Thanks,
Abe

ps. I am using snort 1.8.3 on W2K.

-----Alert generated by snort

05/07-23:37:35.723647 [**] [1:1333:1] WEB-ATTACKS id command attempt [**]
[Classification: Web Application Attack] [Priority: 1] {TCP}
24.100.12.135:64560 -> xxx.xxx.xxx.xxx:80

-----Packet captured by snort tcpdump, viewed by Ethereal

Frame 2190 (676 on wire, 676 captured)
    Arrival Time: May 7, 2002 23:37:35.723647000
    Time delta from previous packet: 457.393350000 seconds
    Time relative to first packet: 112488.865603000 seconds
    Frame Number: 2190
    Packet Length: 676 bytes
    Capture Length: 676 bytes
IEEE 802.3 Ethernet
    Destination: 00:00:00:00:00:00 (XEROX_00:00:00)
    Source: 00:00:00:00:00:00 (XEROX_00:00:00)
    Length: 0
    Trailer: 00000000000000000000000000000000...
[Malformed Packet: LLC]

0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170 fc 30 00 50 14 19 98 0d 6d 72 00 ee 50 18 3b d4 .0.P....mr..P.;.
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
02a0 00 00 00 00 ....

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidthsourceforge.net
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]