SnortSnarf alert page

Source: 24.209.219.162: #201-213

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

Looking using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 09:59:06.349647 on 05/22/2003
Latest: 09:59:27.213821 on 05/22/2003

6 different signatures are present for 24.209.219.162 as a source

13 instances of WEB-IIS _mem_bin access
13 instances of WEB-FRONTPAGE /_vti_bin/ access
27 instances of WEB-IIS CodeRed v2 root.exe access
43 instances of WEB-IIS multiple decode attempt
52 instances of WEB-IIS cmd.exe access
65 instances of WEB-IIS unicode directory traversal attempt

There are 1 distinct destination IPs in the alerts of the type on this page.

24.209.219.162 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

Go to: previous range, all alerts, overview page

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-09:59:06.349647 24.209.219.162:4976 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:54646 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x361A1FBD  Ack: 0xC01B7F9  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-09:59:06.414816 24.209.219.162:4986 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:54659 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x361F03F6  Ack: 0xC5564B3  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/22-09:59:06.518673 24.209.219.162:4996 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:54672 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x3621FAE4  Ack: 0xBD0E88E  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/22-09:59:11.998642 24.209.219.162:1406 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:55628 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x371444E6  Ack: 0xBEE3DBB  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-09:59:21.430856 24.209.219.162:1804 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:57200 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x385C11D7  Ack: 0xD03974F  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-09:59:21.505118 24.209.219.162:1809 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:57217 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x385FB745  Ack: 0xD65E898  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-09:59:21.599450 24.209.219.162:1815 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:57242 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x386442D4  Ack: 0xD488FF5  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-09:59:21.666051 24.209.219.162:1823 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:57256 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3869A3D8  Ack: 0xD1B4352  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-09:59:21.794558 24.209.219.162:1827 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:57276 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x386D4ADC  Ack: 0xD172D5D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-09:59:21.871018 24.209.219.162:1831 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:57296 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x3871C55E  Ack: 0xC96C18A  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-09:59:25.857130 24.209.219.162:1835 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:57608 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x38748E94  Ack: 0xD0C5F6D  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-09:59:27.077825 24.209.219.162:1953 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:57784 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x38D1ED52  Ack: 0xCD07951  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/22-09:59:27.213821 24.209.219.162:1986 -> 192.168.1.6:80
TCP TTL:123 TOS:0x0 ID:57837 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x38EE8F58  Ack: 0xD186D3C  Win: 0x4470  TcpLen: 20

Go to: previous range, all alerts, overview page

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:53 2003

24.209.219.162	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade