I'm seeing a bunch of these from an internal site as well as a
smattering from other sites including microsoft.com
Russell
META
--------
SID CID TimeStamp Signature
1 3970213 2006-03-07 10:39:24 WEB-CLIENT Windows Metafile invalid
header
size integer overflow
Sig ID
5713
Sensor Hostname Sensor Interface
monitor-itss.insec.auckland.ac.nz ITSS sector switch
IP
--------
Source Address Dest Address Ver Hdr Len
130.216.191.54 130.216.204.172 4 5
TOS length ID flags offset TTL chksum
0 1331 23115 2 0 126 3046
Resolved Source
gula.lbr.auckland.ac.nz
Resolved Dest
t710-323-23.sfac.auckland.ac.nz
TCP
--------
Source Port Dest Port Seq Ack
80 1734 3713635408 1326985627
Offset Reserved Flags Window Checksum Urgent Ptr
5 0 24 17520 53225 0
Options
--------
None
Flags
--------
RB 1 RB 0 URG ACK PSH RST SYN FIN
X X
DATA
--------
485454502F312E312032 HTTP/1.1 2
3030204F4B0D0A536572 00 OK..Ser
7665723A204D6963726F ver: Micro
736F66742D4949532F35 soft-IIS/5
2E300D0A582D506F7765 .0..X-Powe
7265642D42793A204153 red-By: AS
502E4E45540D0A446174 P.NET..Dat
653A204D6F6E2C203036 e: Mon, 06
204D6172203230303620 Mar 2006
32313A34313A34352047 21:41:45 G
4D540D0A436F6E74656E MT..Conten
742D547970653A206170 t-Type: ap
706C69636174696F6E2F plication/
782D6D736D6574616669 x-msmetafi
6C650D0A416363657074 le..Accept
2D52616E6765733A2062 -Ranges: b
797465730D0A4C617374 ytes..Last
2D4D6F6469666965643A -Modified:
2053756E2C203135204D Sun, 15 M
61722031393938203035 ar 1998 05
3A30313A343220474D54 :01:42 GMT
0D0A455461673A202230 ..ETag: "0
37666139373163663466 7fa971cf4f
6264313A31376431220D bd1:17d1".
0A436F6E74656E742D4C .Content-L
656E6774683A20313032 ength: 102
360D0A0D0AD7CDC69A00 6.........
00F5FD9AFEA3013602E8 .......6..
03000000000354010009 ......T...
000003F6010000060058 .........X
0000000000050000000B ..........
023602F5FD050000000C .6........
0264FCAE0307000000FC .d........
02010000000000000004 ..........
0000002D010000090000 ...-......
00FA0200000000000000 ..........
0000002200040000002D ...".....-
0101000400000004010D ..........
0009000000FA02050000 ..........
000000FFFFFF00220004 ......."..
0000002D010200070000 ...-......
00FC0200000000000000 ..........
00040000002D01030004 .....-....
00000006010100360000 .......6..
002403190091FFEF00B7 .$........
FF1701FBFFFE00F5FFBB ..........
00A3FF870094FFF4FFA3 ..........
FFC6FF88FF93FF8EFF5F ........._
FFC8FF3EFF130056FF2B ...>...V.+
0093FF0D00CDFF2E00EE ..........
FF2E003F00830084008C ...?......
00EC0055005C01E9FF8F ...U.\....
0170FF6E012AFF2B010F .p.n.*.+..
FFC40012FF87008EFF8E ..........
0091FFEF0007000000FC ..........
020000FFFFFF00000004 ..........
0000002D010400040000 ...-......
002D010200040000002D .-.......-
01020007000000FC0200 ..........
0000B2FF000000040000 ..........
002D0105000400000006 .-........
01010036000000240319 ...6...$..
0025FFA60056FFAF0072 .%...V...r
FFA60070FFDF0085FF1F ...p......
01D7FF3701FEFF1C0128 ...7.....(
00F2001C00A900CEFF87 ..........
00B9FF5400BFFF2000B5 ...T... ..
FFD9FF0300D9FF0D000E ..........
0007004B0037006C005B ...K.7.l.[
007E007700CD005E0022 .~.w...^."
010A007701A3FF700151 ...w...p.Q
FF3D012DFFFD0025FFA6 .=.-...%..
00040000002D01040004 .....-....
000000F0010500040000 ..........
002D010200040000002D .-.......-
01020007000000FC0200 ..........
0000B2FF000000040000 ..........
002D0105000400000006 .-........
01010014000000240308 .......$..
00C7FFBAFFA8FFA9FFA0 ..........
FF7BFFB8FF5CFFF5FF5C .{...\...\
FF0D0081FFF8FFAEFFC7 ..........
FFBAFF040000002D0104 .......-..
0004000000F001050004 ..........
0000002D010200040000 ...-......
002D010200040000002D .-.......-
01030004000000060101 ..........
005800000024032A0040 .X...$.*.@
00360285FF3302F7FE05 .6...3....
0265FEA70122FE1F0104 .e..."....
FE9400F5FD080038FEA2 .......8..
FF8AFE1AFF49FFADFE00 .....I....
009AFE8000BFFECF00EC ..........
FE23010BFF420156FF8B .#...B.V..
01CDFFA3015A008E01FB .....Z....
0054019B010501D801A4 .T........
0027027100A701EC004D .'.q.....M
011C0101013901980017 .....9....
01EEFFCF0072FF86004A .....r...J
FF340023FFB0FF14FF1E .4.#......
FF32FFABFEB1FF77FE06 .2.....w..
0074FE8B0090FEFB00DB .t........
FE590105FF95016AFFAE .Y.....j..
01D6FFD5017100A701A4 .....q....
00270240003602040000 .'.@.6....
002D010400040000002D .-.......-
010200040000002D0102 .......-..
0007000000FC02000000 ..........
B2FF000000040000002D .........-
01050004000000060101 ..........
005000000024032600F2 .P...$.&..
FFE7018BFFE701F4FEAB ..........
0196FE430168FEBE004D ...C.h...M
FE51008AFEA8FFD2FE6C .Q.......l
FF03FF2CFF73FF07FFDD ...,.s....
FFEFFEAA0035FF2301AE .....5.#..
FF510154005101DF0017 .Q.T.Q....
013D01C600A401F2FFE7 .=........
01E8FF270248001802C9 ...'.H....
00F3010B01A601600150 .......`.P
018C01940084010C004B .........K
0193FFF90029FF4600CB .....).F..
FEB8FFB0FE1EFFD5FE77 .........w
FE62FF10FE4E0038FEE2 .b...N.8..
0053FE6801BCFEC60131 .S.h.....1
FF0902E8FF2702F2FFE7 .....'....
01040000002D01040004 .....-....
000000F0010500040000 ..........
002D0102000300000000 .-........
00 .
DATA
--------
HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..X-Powered-By: AS
P.NET..Date: Mon, 06 Mar 2006 21:41:45 GMT..Content-Type: ap
plication/x-msmetafile..Accept-Ranges: bytes..Last-Modified:
Sun, 15 Mar 1998 05:01:42 GMT..ETag: "07fa971cf4fbd1:17d1".
.Content-Length: 1026................6........T............X
...........6.........d.....................-................
...".....-...........................".....-................
.....-...........6...$....................................._
...>...V.+.............?.........U.\.....p.n.*.+............
.......................-.......-.......-....................
.-...........6...$...%...V...r...p.........7.....(..........
...T... ...............K.7.l.[.~.w...^."...w...p.Q.=.-...%..
.....-...............-.......-.....................-........
.......$.............{...\...\.................-............
...-.......-.......-...........X...$.*.@.6...3.....e..."....
.......8.......I...............#...B.V.......Z.....T........
.'.q.....M.....9.........r...J.4.#.......2.....w...t........
.Y.....j.......q.....'.@.6.....-.......-.......-............
.........-...........P...$.&...............C.h...M.Q.......l
...,.s.........5.#...Q.T.Q.....=...........'.H...........`.P
.........K.....).F...........w.b...N.8...S.h.....1.....'....
.....-...............-.........
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
