Robert T Wyatt wrote:
Frank Knobbe wrote:
Your Snort didn't alert on that? Mine do all the time. It's SID 1250
(web-misc.rules). You might want to check your config to see if this
rule file is loaded and to ensure you don't miss other sigs too.
Patrick S. Harper wrote:
> Old Cisco exploit. I saw a bunch of them not too long ago.
>
> http://isc.sans.org/diary.php?storyid=1104
Thanks folks, I think it must have happened right when I was restarting
snort after a rule update.
I will watch for this in the future to ensure that my setup is correct.
My Snort is working fine; it really must have happened right as I was
restarting the application that day.
[**] [1:1250:13] WEB-MISC Cisco IOS HTTP configuration attempt [**]
[Classification: Web Application Attack] [Priority: 1]
02/16-17:31:44.420752 80.192.40.254:3763 -> 66.90.146.246:80
TCP TTL:112 TOS:0x0 ID:54368 IpLen:20 DgmLen:78 DF
***AP*** Seq: 0xFD838C6F Ack: 0xCC3D1484 Win: 0xFAF0 TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10700][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0537][Xref =>
http://www.securityfocus.com/bid/2936]
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
