SnortSnarf alert page

Source: 24.191.37.113

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

17 such alerts found using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 15:04:01.580886 on 06/12/2003
Latest: 15:04:10.008706 on 06/12/2003

6 different signatures are present for 24.191.37.113 as a source

1 instances of WEB-IIS _mem_bin access
1 instances of WEB-FRONTPAGE /_vti_bin/ access
2 instances of WEB-IIS CodeRed v2 root.exe access
4 instances of WEB-IIS multiple decode attempt
4 instances of WEB-IIS cmd.exe access
5 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.191.37.113 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:01.580886 24.191.37.113:3564 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62726 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x5C36ACB3  Ack: 0xC811A3F3  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:01.817322 24.191.37.113:3567 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62742 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x5C39FE38  Ack: 0xC757D971  Win: 0xFAF0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:01.936412 24.191.37.113:3571 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62751 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x5C3C5CDB  Ack: 0xC78DB4C8  Win: 0xFAF0  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:02.062717 24.191.37.113:3574 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62768 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x5C3EA98C  Ack: 0xC829D38B  Win: 0xFAF0  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:02.216036 24.191.37.113:3578 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62779 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5C429C21  Ack: 0xC788E8A5  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/12-15:04:02.356729 24.191.37.113:3585 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62798 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x5C47FD5B  Ack: 0xC78E3A19  Win: 0xFAF0  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
06/12-15:04:02.477013 24.191.37.113:3587 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62807 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x5C49E2FF  Ack: 0xC78F62C5  Win: 0xFAF0  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:02.606274 24.191.37.113:3589 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62816 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x5C4BE637  Ack: 0xC76D50FE  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:02.770779 24.191.37.113:3597 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62832 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x5C51F0D2  Ack: 0xC78EFF5E  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:02.909802 24.191.37.113:3600 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62849 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x5C5491B5  Ack: 0xC820166C  Win: 0xFAF0  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:03.036231 24.191.37.113:3603 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62859 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x5C57B22F  Ack: 0xC79BCB24  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:03.153084 24.191.37.113:3605 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:62868 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x5C59D906  Ack: 0xC7A32CA1  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:06.633531 24.191.37.113:3709 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:63135 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x5CB16C81  Ack: 0xC79C8A32  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:06.760891 24.191.37.113:3713 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:63150 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5CB4B9B6  Ack: 0xC8907A8C  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:09.777559 24.191.37.113:3713 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:63327 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5CB4B9B6  Ack: 0xC8907A8C  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:09.890178 24.191.37.113:3795 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:63341 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x5CFA9097  Ack: 0xC87284EF  Win: 0xFAF0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
06/12-15:04:10.008706 24.191.37.113:3802 -> 192.168.1.6:80
TCP TTL:113 TOS:0x0 ID:63352 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5CFF7C75  Ack: 0xC7FC494A  Win: 0xFAF0  TcpLen: 20

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:54 2003

24.191.37.113	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade