[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Dropped packets again
From: Joel Esler <jesler () sourcefire ! com>
Date: 2010-11-24 2:02:07
Message-ID: 8776EBCC-3A0D-4F1C-B752-BACAB281951A () sourcefire ! com
[Download RAW message or body]
James,
Thanks for writing in, we'll take a look.
Anyway you can pass us a full-session pcap of the activity? I don't know if you do \
full packet capture as well, but if you could send us that, that'd be the way to go \
so we can research this properly.
Thanks.
Joel
On Nov 23, 2010, at 6:44 PM, Lay, James wrote:
> Hey folks.
>
>
>
> So again...doing my job and I see a spat of sid 17645:
>
>
>
> 11/23-16:20:50.583059 [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
> 6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
> Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580
>
> 11/23-16:20:50.625051 [**] [1:4152:4] WEB-ACTIVEX Windows Media Player
> 6.4 ActiveX Object Access [**] [Classification: Attempted User Privilege
> Gain] [Priority: 1] {TCP} 65.55.87.36:80 -> 10.21.0.16:33580
>
> 11/23-16:28:32.188567 [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.937516 [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.942511 [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.948508 [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.954510 [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.959510 [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.965509 [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:28:32.971510 [**] [1:17645:1] WEB-CLIENT Microsoft Internet
> Explorer CSS strings parsing memory corruption attempt [**]
> [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
> 149.136.20.26:80 -> 10.21.0.16:34645
>
> 11/23-16:30:02.942794 [**] [1:15213010:1] ET WEB_CLIENT PDF Name
> Representation Obfuscation of /OpenAction [**] [Classification:
> Potentially Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 ->
> 10.21.0.16:34763
>
> 11/23-16:30:02.942794 [**] [1:15213001:1] ET WEB_CLIENT PDF Name
> Representation Obfuscation of /Subtype [**] [Classification: Potentially
> Bad Traffic] [Priority: 2] {TCP} 149.136.20.66:80 -> 10.21.0.16:34763
>
>
>
> Checking my pcapdump file I get:
>
>
>
> 16:20:50.583059 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack
> 3547191753, win 65535, length 1400
>
> 16:20:50.625051 IP 65.55.87.36.80 > 10.21.0.16.33580: Flags [.], ack 1,
> win 65535, length 1400
>
> 16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
> 1493254297, win 48593, length 1380
>
> 16:30:02.942794 IP 149.136.20.66.80 > 10.21.0.16.34763: Flags [.], ack
> 1, win 48593, length 1380
>
>
>
> SID 17645 is completely missing. I recall sending this to the list a
> while ago...I've recompiled things..and still it seems certain SIDS seem
> left out of the packet captures. There are no errors on the
> interfaces...lot's of free memory, and CPU is pretty minimal. What else
> can I check? I'm I just out of luck now? Thanks.
>
>
>
> James Lay
>
> IT Security Analyst
>
> WinCo Foods
>
> 208-672-2014 Office
>
> 208-559-1855 Cell
>
> 650 N Armstrong Pl.
>
> Boise, Idaho 83704
>
>
>
> <winmail.dat>------------------------------------------------------------------------------
> Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
> Tap into the largest installed PC base & get more eyes on your game by
> optimizing for Intel(R) Graphics Technology. Get started today with the
> Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
> http://p.sf.net/sfu/intelisp-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic