SnortSnarf alert page

Source: 24.164.56.165

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

17 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 16:53:47.432647 on 06/11/2003
Latest: 16:54:42.006347 on 06/11/2003

6 different signatures are present for 24.164.56.165 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS multiple decode attempt
4 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.164.56.165 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:53:47.432647 24.164.56.165:2976 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:37637 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x28F96B78  Ack: 0x2553960A  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:53:49.022714 24.164.56.165:3150 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:38262 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x297C2628  Ack: 0x25BAE41F  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:53:50.584224 24.164.56.165:3306 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:38829 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x29ED841B  Ack: 0x265B3B25  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:53:51.882480 24.164.56.165:3496 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:39353 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x2A779211  Ack: 0x2640EE48  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:54:02.130082 24.164.56.165:1277 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:43391 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x2E1BEBA6  Ack: 0x264EF21B  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/11-16:54:12.768114 24.164.56.165:2569 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:47493 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x31CBB21F  Ack: 0x2730B39A  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/11-16:54:14.212417 24.164.56.165:2760 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:48047 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x3255E776  Ack: 0x27280E2B  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:54:18.681943 24.164.56.165:3338 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:49957 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x34007292  Ack: 0x2814355D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:54:19.996026 24.164.56.165:3521 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:50552 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3482CA1E  Ack: 0x2741BD88  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:54:21.066781 24.164.56.165:3693 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:51001 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x34F98958  Ack: 0x27BCD916  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:54:25.744659 24.164.56.165:4380 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:52663 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3667F6CD  Ack: 0x27A4DD0F  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:54:27.204573 24.164.56.165:4741 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:53219 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x37008132  Ack: 0x2838D134  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:54:28.662978 24.164.56.165:1071 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:53762 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x378613AA  Ack: 0x28FD13EE  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:54:30.152451 24.164.56.165:1235 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:54376 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x37FBC1DF  Ack: 0x29617CCF  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:54:33.193129 24.164.56.165:1235 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:55702 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x37FBC1DF  Ack: 0x29617CCF  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:54:40.661777 24.164.56.165:2584 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:58827 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x3BD78A02  Ack: 0x29EA92B8  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/11-16:54:42.006347 24.164.56.165:2787 -> 192.168.1.6:80
TCP TTL:114 TOS:0x0 ID:59382 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x3C6B8E4A  Ack: 0x29E0CFC0  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:54 2003

24.164.56.165	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade