|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
[Snort-users] Alert turns up as ftp_telnet
Date: Tue Aug 28 2007 - 14:36:19 EDT
At one point I was running snort and I was getting alerts that
corresponeded directly to the exploit I attempted. Now, I get ftp_telnet
alerts. What gives?
http://downloads.securityfocus.com/vulnerabilities/exploits/wuftpd-2.6.0-exp2.c
SNORT snort-2.6.1.5
/var/log/snort/alert (on 192.168.1.121)
[**] [1:553:7] POLICY FTP anonymous login attempt [**]
[Classification: Misc activity] [Priority: 3]
08/09-15:46:51.630779 192.168.1.121:54835 -> 192.168.1.136:21
TCP TTL:64 TOS:0x0 ID:3402 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0x1E0C3C4B Ack: 0xB33C7309 Win: 0x5C TcpLen: 32
TCP Options (3) => NOP NOP TS: 1221541186 17773996
[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
08/09-15:46:51.632771 192.168.1.121:54835 -> 192.168.1.136:21
TCP TTL:64 TOS:0x0 ID:3403 IpLen:20 DgmLen:457 DF
***AP*** Seq: 0x1E0C3C55 Ack: 0xB33C734D Win: 0x5C TcpLen: 32
TCP Options (3) => NOP NOP TS: 1221541188 17773996
[Xref => http://www.whitehats.com/info/IDS181]
[**] [1:1972:16] FTP PASS overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
08/09-15:46:51.632771 192.168.1.121:54835 -> 192.168.1.136:21
TCP TTL:64 TOS:0x0 ID:3403 IpLen:20 DgmLen:457 DF
***AP*** Seq: 0x1E0C3C55 Ack: 0xB33C734D Win: 0x5C TcpLen: 32
TCP Options (3) => NOP NOP TS: 1221541188 17773996
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0895][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0126][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1035][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1539][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1519][Xref => http://www.securityfocus.com/bid/9285][Xref => http://www.securityfocus.com/bid/8601][Xref => http://www.securityfocus.com/bid/3884][Xref => http://www.securityfocus.com/bid/1690][Xref => http://www.securityfocus.com/bid/10720][Xref => http://www.securityfocus.com/bid/10078]
[**] [1:1748:8] FTP command overflow attempt [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
08/09-15:46:51.632771 192.168.1.121:54835 -> 192.168.1.136:21
TCP TTL:64 TOS:0x0 ID:3403 IpLen:20 DgmLen:457 DF
***AP*** Seq: 0x1E0C3C55 Ack: 0xB33C734D Win: 0x5C TcpLen: 32
TCP Options (3) => NOP NOP TS: 1221541188 17773996
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0606][Xref => http://www.securityfocus.com/bid/4638]
[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
08/09-15:46:51.636024 192.168.1.136:21 -> 192.168.1.121:54835
TCP TTL:64 TOS:0x10 ID:143 IpLen:20 DgmLen:480 DF
***AP*** Seq: 0xB33C734D Ack: 0x1E0C3DEA Win: 0x7D78 TcpLen: 32
TCP Options (3) => NOP NOP TS: 17773997 1221541188
[Xref => http://www.whitehats.com/info/IDS181]
[**] [1:361:15] FTP SITE EXEC attempt [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/09-15:47:01.637579 192.168.1.121:54835 -> 192.168.1.136:21
TCP TTL:64 TOS:0x0 ID:3406 IpLen:20 DgmLen:66 DF
***AP*** Seq: 0x1E0C3DEA Ack: 0xB33C7594 Win: 0x7D TcpLen: 32
TCP Options (3) => NOP NOP TS: 1221551192 17773999
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0955][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0080][Xref => http://www.securityfocus.com/bid/2241][Xref => http://www.whitehats.com/info/IDS317
Now I am getting alerts that look like this!
08/28-09:52:29.622502 [**] [125:6:1](ftp_telnet) FTP response message was too long [**] {TCP} 192.168.1.122:21 -> 192.168.1.114:53757 [2:830]
[**] [125:3:1] (ftp_telnet) FTP command parameters were too long [**]
08/28-10:13:40.220803 192.168.1.114:41513 -> 192.168.1.122:21 TCP TTL:64 TOS:0x0 ID:20829 IpLen:20 DgmLen:457 DF ***AP*** Seq: 0x536DA099 Ack: 0xFA91F5D0 Win: 0x5C TcpLen: 32 TCP Options (3) => NOP NOP TS: 2843737552 237713562
08/28-10:13:40.220803 [**] [125:3:1](ftp_telnet) FTP command parameters were too long [**] {TCP} 192.168.1.114:41513 -> 192.168.1.122:21 [2:831]
[**] [125:6:1] (ftp_telnet) FTP response message was too long [**]
08/28-10:13:40.221006 192.168.1.122:21 -> 192.168.1.114:41513 TCP TTL:64 TOS:0x10 ID:49325 IpLen:20 DgmLen:480 DF ***AP*** Seq: 0xFA91F5D0 Ack: 0x536DA22E Win: 0x36 TcpLen: 32 TCP Options (3) => NOP NOP TS: 237713562 2843737552
08/28-10:13:40.221006 [**] [125:6:1](ftp_telnet) FTP response message was too long [**] {TCP} 192.168.1.122:21 -> 192.168.1.114:41513 [2:832]
[**] [125:3:1] (ftp_telnet) FTP command parameters were too long [**]
08/28-10:13:54.079879 192.168.1.114:41514 -> 192.168.1.122:21 TCP TTL:64 TOS:0x0 ID:908 IpLen:20 DgmLen:457 DF ***AP*** Seq: 0x8E0F247D Ack: 0xFB57457A Win: 0x5C TcpLen: 32 TCP Options (3) => NOP NOP TS: 2843751410 237717027
-- Brian Lavender http://www.brie.com/brian/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-usersReceived on Tue Aug 28 14:36:42 2007
This archive was generated by hypermail 2.1.8 : Mon Oct 08 2007 - 18:07:00 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |