SnortSnarf alert page

Source: 24.209.39.246: #301-326

SnortSnarf v021111.1

Signature section (91123)

Top 20 source IPs

Top 20 dest IPs

Looking using input module SnortFileInput, with sources:

/home/rivettmj/snort_alertlog/alert

Earliest: 20:45:29.809107 on 05/13/2003
Latest: 21:52:12.598923 on 05/13/2003

7 different signatures are present for 24.209.39.246 as a source

16 instances of WEB-IIS _mem_bin access
16 instances of WEB-FRONTPAGE /_vti_bin/ access
32 instances of WEB-IIS CodeRed v2 root.exe access
35 instances of WEB-IIS ISAPI .ida attempt
54 instances of WEB-IIS multiple decode attempt
76 instances of WEB-IIS unicode directory traversal attempt
97 instances of WEB-IIS cmd.exe access

There are 1 distinct destination IPs in the alerts of the type on this page.

24.209.39.246 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

Go to: previous range, all alerts, overview page

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/13-20:45:29.809107 24.209.39.246:2063 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:29196 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x6C11B7E4  Ack: 0xC7A32B6D  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/13-20:45:30.969606 24.209.39.246:2185 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:29383 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x6C7CD934  Ack: 0xC7FE827A  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-20:45:32.126337 24.209.39.246:2224 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:29581 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x6C9B970D  Ack: 0xC7F97CC3  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-20:45:36.588877 24.209.39.246:2331 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:30222 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6CF98478  Ack: 0xC84BA9B6  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-20:45:38.042193 24.209.39.246:2375 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:30452 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6D1F435D  Ack: 0xC7D29EA8  Win: 0x4470  TcpLen: 20

[**] [1:981:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-20:45:39.405210 24.209.39.246:2412 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:30666 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6D415C08  Ack: 0xC801A6F3  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-20:45:43.710405 24.209.39.246:2544 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:31363 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x6DAD18F9  Ack: 0xC85E47BB  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-20:45:45.161442 24.209.39.246:2582 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:31583 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x6DCE7D23  Ack: 0xC8341108  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-20:45:46.751549 24.209.39.246:2621 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:31806 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6DF0BF8A  Ack: 0xC90330DD  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-20:45:48.285280 24.209.39.246:2670 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:32049 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x6E1B89C6  Ack: 0xC87695B5  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-20:45:52.620173 24.209.39.246:2705 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:32783 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x6E3B939E  Ack: 0xC969DF4E  Win: 0x4470  TcpLen: 20

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:51:39.211349 24.209.39.246:4557 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:11038 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x6FFBCD  Ack: 0xC03F03CC  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1256:7] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:51:39.474149 24.209.39.246:4561 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:11070 IpLen:20 DgmLen:110 DF
***AP*** Seq: 0x73C1CD  Ack: 0xC0474054  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:51:39.620873 24.209.39.246:4568 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:11096 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x793C95  Ack: 0xC06193C6  Win: 0x4470  TcpLen: 20

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:51:43.328043 24.209.39.246:4668 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:11577 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xCEA2D8  Ack: 0xC1323FB6  Win: 0x4470  TcpLen: 20

[**] [1:1945:1] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:51:43.848677 24.209.39.246:4683 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:11652 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xD9D48D  Ack: 0xC04179C0  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1288:5] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/13-21:51:53.301670 24.209.39.246:1059 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:13227 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x1FCA14F  Ack: 0xC15484AB  Win: 0x4470  TcpLen: 20

[**] [1:1286:5] WEB-IIS _mem_bin access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
05/13-21:51:57.400911 24.209.39.246:1082 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:13887 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x20F888B  Ack: 0xC15679F5  Win: 0x4470  TcpLen: 20

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:52:06.661529 24.209.39.246:1491 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:15094 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x365F113  Ack: 0xC1CDB3A2  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:982:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:52:06.812035 24.209.39.246:1495 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:15109 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x3693E13  Ack: 0xC1BDAA6A  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:52:06.976152 24.209.39.246:1503 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:15138 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x36FBCB5  Ack: 0xC1CBA026  Win: 0x4470  TcpLen: 20

[**] [1:983:6] WEB-IIS unicode directory traversal attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:52:07.525412 24.209.39.246:1513 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:15218 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x378647E  Ack: 0xC1A95B92  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:52:07.775495 24.209.39.246:1518 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:15248 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x37DC65C  Ack: 0xC26B43CC  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:52:11.260803 24.209.39.246:1601 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:15613 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x3C5BBB2  Ack: 0xC212BC52  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:970:5] WEB-IIS multiple decode attempt [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:52:11.840948 24.209.39.246:1617 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:15673 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x3D305FE  Ack: 0xC2A1AB24  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0333]

[**] [1:1002:5] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1] 
05/13-21:52:12.598923 24.209.39.246:1635 -> 192.168.1.6:80
TCP TTL:120 TOS:0x0 ID:15754 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x3E25700  Ack: 0xC2557E52  Win: 0x4470  TcpLen: 20

Go to: previous range, all alerts, overview page

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Jun 17 09:03:54 2003

24.209.39.246	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade