SnortSnarf alert page

Source: 24.150.202.37

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

32 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 13:57:57.038535 on 05/03/2003
Latest: 03:46:00.723914 on 05/21/2003

6 different signatures are present for 24.150.202.37 as a source

2 instances of WEB-IIS _mem_bin access
2 instances of WEB-FRONTPAGE /_vti_bin/ access
4 instances of WEB-IIS CodeRed v2 root.exe access
5 instances of WEB-IIS multiple decode attempt
8 instances of WEB-IIS cmd.exe access
11 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.150.202.37 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:57:57.038535 24.150.202.37:4664 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:36184 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xFEC07CF6  Ack: 0x46C0A37F  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:00.029246 24.150.202.37:1042 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:36748 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0xFFAFBE1C  Ack: 0x470CECB0  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:00.263899 24.150.202.37:1048 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:36788 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xFFB556C5  Ack: 0x46C1285B  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:00.514859 24.150.202.37:1052 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:36826 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xFFB99539  Ack: 0x4750710A  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:00.850592 24.150.202.37:1055 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:36873 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xFFBD510B  Ack: 0x478AA910  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/03-13:58:04.196023 24.150.202.37:1063 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:37504 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0xFFC458D2  Ack: 0x46FF87B4  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/03-13:58:13.404496 24.150.202.37:1156 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:38775 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x147777  Ack: 0x47251578  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:13.752024 24.150.202.37:1347 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:38827 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0xC68C6A  Ack: 0x48008D98  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:22.937227 24.150.202.37:1357 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:40047 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xCC8B96  Ack: 0x47CB43DB  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:26.210397 24.150.202.37:1529 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:40427 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x1713BAF  Ack: 0x48BFE65F  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:26.497425 24.150.202.37:1586 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:40472 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x1A4710B  Ack: 0x48DD4203  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:29.960303 24.150.202.37:1648 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:40918 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x1E0889F  Ack: 0x49152EFD  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:39.420967 24.150.202.37:1831 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:42223 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x2871B4B  Ack: 0x4930D731  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:48.778720 24.150.202.37:1837 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:43286 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x28D10CE  Ack: 0x4908C570  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:49.013105 24.150.202.37:1996 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:43339 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x3233265  Ack: 0x49E7BCD1  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/03-13:58:49.232138 24.150.202.37:2006 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:43391 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x32B22F3  Ack: 0x4A05F7C1  Win: 0x4470  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:21.508753 24.150.202.37:2349 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:29768 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x1DB248EA  Ack: 0x4961BF29  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:25.265558 24.150.202.37:2413 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:30825 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x1DE5D0D3  Ack: 0x48E9E43B  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:25.513009 24.150.202.37:2672 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:30900 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x1EB28B80  Ack: 0x492DC780  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:28.757216 24.150.202.37:2687 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:31936 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x1EBE92BC  Ack: 0x49B3E35B  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:28.992214 24.150.202.37:2944 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:32016 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x1F881039  Ack: 0x49D3F618  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:31.956795 24.150.202.37:2944 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:32846 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x1F881039  Ack: 0x49D3F618  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/21-03:45:32.405203 24.150.202.37:3208 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:32979 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x20516B17  Ack: 0x4A174464  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/21-03:45:35.957340 24.150.202.37:3462 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:33930 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x2114C8B1  Ack: 0x49C8D25A  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:42.200173 24.150.202.37:3754 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:35755 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x21F8F8B9  Ack: 0x4A6F5392  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:46.156863 24.150.202.37:4010 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:36960 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x22C01B9E  Ack: 0x4A15BDD4  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:52.828077 24.150.202.37:4657 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:39006 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x249AF1D0  Ack: 0x4B3EFEBC  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:53.127729 24.150.202.37:1037 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:39100 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x256945A6  Ack: 0x4ABAD468  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:53.463468 24.150.202.37:1060 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:39199 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x257BD713  Ack: 0x4BA93A2E  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:45:53.880170 24.150.202.37:1097 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:39329 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x25973120  Ack: 0x4B6730BD  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:46:00.405883 24.150.202.37:1378 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:41201 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x267475DA  Ack: 0x4BCDC312  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/21-03:46:00.723914 24.150.202.37:1637 -> 192.168.1.6:80
TCP TTL:110 TOS:0x0 ID:41285 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x273A44CE  Ack: 0x4BE514A9  Win: 0x4470  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003

24.150.202.37	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade