SnortSnarf alert page

Source: 24.209.105.156: #301-306

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

Looking using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 13:16:33.319095 on 05/05/2003
Latest: 13:16:46.098697 on 05/05/2003

7 different signatures are present for 24.209.105.156 as a source

13 instances of WEB-IIS ISAPI .ida attempt
18 instances of WEB-IIS _mem_bin access
18 instances of WEB-FRONTPAGE /_vti_bin/ access
36 instances of WEB-IIS CodeRed v2 root.exe access
52 instances of WEB-IIS multiple decode attempt
82 instances of WEB-IIS cmd.exe access
87 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.209.105.156 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

Go to: previous range, all alerts, overview page

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-13:16:33.319095 24.209.105.156:4798 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:18303 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x24EFD0F6  Ack: 0x2906B7EA  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-13:16:33.398421 24.209.105.156:4914 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:18313 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x25516B21  Ack: 0x28A7E8A0  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-13:16:42.802073 24.209.105.156:3198 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:19172 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x264646C4  Ack: 0x2AF09645  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-13:16:45.868752 24.209.105.156:3295 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:19449 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x2694B634  Ack: 0x2A2713CB  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-13:16:45.972069 24.209.105.156:3301 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:19470 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x269916DD  Ack: 0x2A57135F  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/05-13:16:46.098697 24.209.105.156:3309 -> 192.168.1.6:80
TCP TTL:116 TOS:0x0 ID:19485 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x269F79CF  Ack: 0x2A27B41D  Win: 0x4470  TcpLen: 20

Go to: previous range, all alerts, overview page

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:09:28 2003

24.209.105.156	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade