SnortSnarf alert page

Source: 216.65.98.13

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

23 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 13:05:37.481911 on 05/10/2003
Latest: 01:53:29.966072 on 06/12/2003

3 different signatures are present for 216.65.98.13 as a source

2 instances of SHELLCODE x86 setuid 0
6 instances of SHELLCODE x86 NOOP
15 instances of SHELLCODE x86 inc ebx NOOP

There are 1 distinct destination IPs in the alerts of the type on this page.

216.65.98.13 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:650:5] SHELLCODE x86 setuid 0 [**]
[Classification: A system call was detected] [Priority: 2] 
05/10-13:05:37.481911 216.65.98.13:119 -> 192.168.1.101:1799
TCP TTL:102 TOS:0x0 ID:61386 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xECC2ADE2  Ack: 0x6B97336C  Win: 0xF95B  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS436]

[**] [1:1394:3] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/11-03:44:59.334711 216.65.98.13:119 -> 192.168.1.101:2900
TCP TTL:102 TOS:0x0 ID:10479 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xD55069EE  Ack: 0x484AEB7F  Win: 0xF56E  TcpLen: 20

[**] [1:1394:3] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/11-03:44:59.355707 216.65.98.13:119 -> 192.168.1.101:2898
TCP TTL:102 TOS:0x0 ID:10515 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xD55175B5  Ack: 0x48493BDB  Win: 0xF68B  TcpLen: 20

[**] [1:1394:3] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/11-03:45:00.332635 216.65.98.13:119 -> 192.168.1.101:2898
TCP TTL:102 TOS:0x0 ID:12573 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xD5527174  Ack: 0x48493BF9  Win: 0xF66D  TcpLen: 20

[**] [1:1394:3] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/11-03:45:05.112251 216.65.98.13:119 -> 192.168.1.101:2899
TCP TTL:102 TOS:0x0 ID:23194 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xD53D3BF6  Ack: 0x484A2583  Win: 0xF57D  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/12-12:37:44.368369 216.65.98.13:119 -> 192.168.1.101:1243
TCP TTL:103 TOS:0x0 ID:56244 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xAAE1F2F5  Ack: 0xACE72F4D  Win: 0xF833  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/12-12:52:34.264633 216.65.98.13:119 -> 192.168.1.101:1282
TCP TTL:103 TOS:0x0 ID:65015 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xC399D1D6  Ack: 0xB6829DC5  Win: 0xFA80  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/12-12:52:39.700117 216.65.98.13:119 -> 192.168.1.101:1282
TCP TTL:103 TOS:0x0 ID:9650 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xC3A15737  Ack: 0xB6829DD3  Win: 0xFA72  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/12-12:52:52.130952 216.65.98.13:119 -> 192.168.1.101:1281
TCP TTL:103 TOS:0x0 ID:29603 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xC3719AC3  Ack: 0xB676B1D3  Win: 0xFA9C  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/12-12:52:55.864154 216.65.98.13:119 -> 192.168.1.101:1282
TCP TTL:103 TOS:0x0 ID:35129 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xC3BF3824  Ack: 0xB6829E19  Win: 0xFA2C  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/12-12:53:36.834621 216.65.98.13:119 -> 192.168.1.101:1282
TCP TTL:103 TOS:0x0 ID:46537 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xC40685D9  Ack: 0xB6829EC1  Win: 0xF984  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/12-12:53:41.786873 216.65.98.13:119 -> 192.168.1.101:1281
TCP TTL:103 TOS:0x0 ID:52942 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xC3CD006B  Ack: 0xB676B2A5  Win: 0xF9CA  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
05/12-12:53:44.255533 216.65.98.13:119 -> 192.168.1.101:1281
TCP TTL:103 TOS:0x0 ID:57882 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xC3D3E80D  Ack: 0xB676B2B3  Win: 0xF9BC  TcpLen: 20

[**] [1:650:5] SHELLCODE x86 setuid 0 [**]
[Classification: A system call was detected] [Priority: 2] 
05/17-01:55:29.675875 216.65.98.13:119 -> 192.168.1.101:2127
TCP TTL:109 TOS:0x0 ID:46789 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xB22B70B8  Ack: 0x9657BCC9  Win: 0xF721  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS436]

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
06/12-01:42:48.770267 216.65.98.13:119 -> 192.168.1.101:1693
TCP TTL:105 TOS:0x0 ID:51922 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7AFBA9EC  Ack: 0xC98CA468  Win: 0xF92E  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
06/12-01:42:48.771533 216.65.98.13:119 -> 192.168.1.101:1693
TCP TTL:105 TOS:0x0 ID:51925 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7AFBAFA0  Ack: 0xC98CA468  Win: 0xF92E  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
06/12-01:43:51.571792 216.65.98.13:119 -> 192.168.1.101:1693
TCP TTL:105 TOS:0x0 ID:58916 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7B9D02BD  Ack: 0xC98CA882  Win: 0xFAD2  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
06/12-01:44:33.763066 216.65.98.13:119 -> 192.168.1.101:1693
TCP TTL:104 TOS:0x0 ID:52102 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7BF41C76  Ack: 0xC98CAACB  Win: 0xF889  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
06/12-01:46:04.393014 216.65.98.13:119 -> 192.168.1.101:1693
TCP TTL:104 TOS:0x0 ID:10199 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7D17FA9A  Ack: 0xC98CAF7B  Win: 0xF997  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
06/12-01:46:10.268168 216.65.98.13:119 -> 192.168.1.101:1693
TCP TTL:104 TOS:0x0 ID:41559 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7D2FF4B8  Ack: 0xC98CAFE4  Win: 0xF92E  TcpLen: 20

[**] [1:1390:3] SHELLCODE x86 inc ebx NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
06/12-01:46:31.288710 216.65.98.13:119 -> 192.168.1.101:1693
TCP TTL:104 TOS:0x0 ID:5684 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7D630D48  Ack: 0xC98CB098  Win: 0xF87A  TcpLen: 20

[**] [1:1394:3] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
06/12-01:46:42.161284 216.65.98.13:119 -> 192.168.1.101:1693
TCP TTL:104 TOS:0x0 ID:51392 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7D84ACDB  Ack: 0xC98CB110  Win: 0xF802  TcpLen: 20

[**] [1:1394:3] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] 
06/12-01:53:29.966072 216.65.98.13:119 -> 192.168.1.101:1693
TCP TTL:103 TOS:0x0 ID:12586 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x828AD144  Ack: 0xC98CC592  Win: 0xFA78  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:54 2003

216.65.98.13	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade