SnortSnarf alert page

Source: 24.209.191.91: #101-136

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

Looking using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 13:46:48.253298 on 05/24/2003
Latest: 14:34:05.086257 on 05/24/2003

7 different signatures are present for 24.209.191.91 as a source

5 instances of WEB-IIS _mem_bin access
5 instances of WEB-FRONTPAGE /_vti_bin/ access
10 instances of WEB-IIS CodeRed v2 root.exe access
16 instances of WEB-IIS multiple decode attempt
25 instances of WEB-IIS unicode directory traversal attempt
27 instances of WEB-IIS ISAPI .ida attempt
48 instances of WEB-IIS cmd.exe access

There are 1 distinct destination IPs in the alerts of the type on this page.

24.209.191.91 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

Go to: previous range, all alerts, overview page

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:46:48.253298 24.209.191.91:3536 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:23456 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x6FF95F9E  Ack: 0xE91D73EE  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:46:48.519851 24.209.191.91:3827 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:23528 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x70DBB9FE  Ack: 0xE92697C2  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:46:48.966134 24.209.191.91:3853 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:23629 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x70EF9848  Ack: 0xE8E6A590  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:46:52.487430 24.209.191.91:4131 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:24667 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x71C9140A  Ack: 0xE93D14C3  Win: 0x4470  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:58:51.147751 24.209.191.91:3892 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:53544 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x2F7495F8  Ack: 0x15A08402  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:58:54.467887 24.209.191.91:4242 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:54719 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x307EE86A  Ack: 0x164ECBF7  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:58:54.819867 24.209.191.91:4270 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:54791 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x30942E12  Ack: 0x15F6CFCE  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:58:55.040908 24.209.191.91:4304 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:54893 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x30AD80ED  Ack: 0x161158EC  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:58:55.341831 24.209.191.91:4331 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:54962 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x30C2EC40  Ack: 0x162292C1  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/24-13:58:55.602029 24.209.191.91:4354 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:55065 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x30D53662  Ack: 0x166FB709  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/24-13:58:59.100873 24.209.191.91:4380 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:56048 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x30EA1A75  Ack: 0x1641B1E9  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:58:59.420160 24.209.191.91:4694 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:56116 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x31DD3925  Ack: 0x16ED9BDC  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:58:59.821471 24.209.191.91:4722 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:56214 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x31F38801  Ack: 0x16E49318  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:59:00.196609 24.209.191.91:4756 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:56299 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x320C7AE8  Ack: 0x166F6EEC  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:59:00.632251 24.209.191.91:4790 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:56417 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x32261436  Ack: 0x16FCB3E6  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:59:22.028927 24.209.191.91:2818 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:62518 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3818B35E  Ack: 0x185A2B26  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:59:22.247493 24.209.191.91:2839 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:62558 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x382A2185  Ack: 0x17CF4D05  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:59:22.483045 24.209.191.91:2858 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:62603 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x38388D4A  Ack: 0x17FF4912  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:59:22.749178 24.209.191.91:2877 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:62649 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x3847C535  Ack: 0x187049A4  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-13:59:26.017785 24.209.191.91:3203 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:63626 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x3941961E  Ack: 0x18863600  Win: 0x4470  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:33:41.369300 24.209.191.91:1993 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:18329 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x4C2361F9  Ack: 0x996A01DB  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:33:45.417783 24.209.191.91:2041 -> 192.168.1.6:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:110
***AP*** Seq: 0x4C4639C6  Ack: 0x1AEF1482  Win: 0x0  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:33:48.806940 24.209.191.91:2406 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:20641 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x4D5C6FA5  Ack: 0x99C881E4  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:33:52.234347 24.209.191.91:2710 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:21670 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x4E402CE1  Ack: 0x99E92B30  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:33:55.604578 24.209.191.91:3300 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:22893 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x4FFF960A  Ack: 0x9B0300A9  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/24-14:33:55.917150 24.209.191.91:3330 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:22976 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x50158A77  Ack: 0x9A9104B4  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/24-14:33:56.235984 24.209.191.91:3356 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:23079 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x50292A3E  Ack: 0x9A657F16  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:33:56.605316 24.209.191.91:3386 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:23200 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x503FF0AE  Ack: 0x9A8747B7  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:33:57.055911 24.209.191.91:3420 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:23318 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x50598465  Ack: 0x9A62AE06  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:34:00.328167 24.209.191.91:3705 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:24258 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x51345181  Ack: 0x9ADDCB3E  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:34:00.710277 24.209.191.91:3727 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:24359 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x514548A0  Ack: 0x9B2A3EA4  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:34:01.002850 24.209.191.91:3757 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:24446 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x515CE988  Ack: 0x9B22C04E  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:34:04.279738 24.209.191.91:4063 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:25536 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x5244BB7E  Ack: 0x9B599D8D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:34:04.510464 24.209.191.91:4089 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:25646 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x5255B537  Ack: 0x9B63B0E4  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:34:04.740043 24.209.191.91:4113 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:25737 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x5268A90B  Ack: 0x9AD57CB0  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/24-14:34:05.086257 24.209.191.91:4138 -> 192.168.1.6:80
TCP TTL:117 TOS:0x0 ID:25846 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x527B7742  Ack: 0x9B84A861  Win: 0x4470  TcpLen: 20

Go to: previous range, all alerts, overview page

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:52 2003

24.209.191.91	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade