Network Security: Detailed info on [Snort-sigs] False +ves for COMMUNITY WEB-IIS Remote IIS Server Name spo

Subject:	[Snort-sigs] False +ves for COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost,Sig ID,100000138
Date:	Wed, 05 Oct 2005 13:44:12 +1300

Traffic from google maps triggers this sig with local host in the
referer...

R

META
--------
SID     CID     TimeStamp               Signature
6       1852551 2005-10-04 16:30:05     COMMUNITY WEB-IIS Remote IIS Server
Name spoof attempt localhost
Sig ID
100000138

Sensor Hostname                         Sensor Interface
hihi.insec.auckland.ac.nz       new dmz sensor

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.216.97.96   66.102.7.99     4       5
TOS     length  ID      flags   offset  TTL     chksum
0       414     31505   2       0       125     21319

Resolved Source
wks-104-151-2.isom.auckland.ac.nz

Resolved Dest
Could Not Resolve


TCP
--------
Source Port     Dest Port       Seq             Ack             
3603            80              2863650286      3336085125
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               24      64512   33346           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                               

DATA
--------
474554202F6D6170733F    GET /maps?
66696C653D6170692676    file=api&v
3D31266B65793D414251    =1&key=ABQ
49414141417335554534    IAAAAs5UE4
3731715738444D346A43    71qW8DM4jC
625062514B3778535075    bPbQK7xSPu
784E726C526734446476    xNrlRg4Ddv
6D674C5F754B397A5073    mgL_uK9zPs
654C5041525465703951    eLPARTep9Q
70514965707758793031    pQIepwXy01
377A38636D527A62424F    7z8cmRzbBO
6F4E7720485454502F31    oNw HTTP/1
2E310D0A416363657074    .1..Accept
3A202A2F2A0D0A526566    : */*..Ref
657265723A2068747470    erer: http
3A2F2F6C6F63616C686F    ://localho
73742F54657374576562    st/TestWeb
2F4D61702E617370780D    /Map.aspx.
0A4163636570742D4C61    .Accept-La
6E67756167653A20656E    nguage: en
2D6E7A0D0A4163636570    -nz..Accep
742D456E636F64696E67    t-Encoding
3A20677A69702C206465    : gzip, de
666C6174650D0A557365    flate..Use
722D4167656E743A204D    r-Agent: M
6F7A696C6C612F342E30    ozilla/4.0
2028636F6D7061746962     (compatib
6C653B204D5349452036    le; MSIE 6
2E303B2057696E646F77    .0; Window
73204E5420352E313B20    s NT 5.1;
5356313B202E4E455420    SV1; .NET
434C5220312E312E3433    CLR 1.1.43
3232290D0A486F73743A    22)..Host:
206D6170732E676F6F67     maps.goog
6C652E636F6D0D0A436F    le.com..Co
6E6E656374696F6E3A20    nnection:
4B6565702D416C697665    Keep-Alive
0D0A0D0A        ....

DATA
--------
GET /maps?file=api&v=1&key=ABQIAAAAs5UE471qW8DM4jCbPbQK7xSPu
xNrlRg4DdvmgL_uK9zPseLPARTep9QpQIepwXy017z8cmRzbBOoNw HTTP/1
.1..Accept: */*..Referer: http://localhost/TestWeb/Map.aspx.
.Accept-Language: en-nz..Accept-Encoding: gzip, deflate..Use
r-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1; .NET CLR 1.1.4322)..Host: maps.google.com..Connection:
Keep-Alive....


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] False +ves for COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost,Sig ID,100000138, Russell Fulton <=

Previous by Date:	[Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:	[Snort-sigs] False +ves for WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt 3685, Russell Fulton
Previous by Thread:	[Snort-users] Call for all Snort Projects, Joel Esler
Next by Thread:	[Snort-sigs] False +ves for WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt 3685, Russell Fulton
Indexes:	[Date] [Thread] [Top] [All Lists]