Network Security: Detailed info on [Snort-users] Alert turns up as ftp

Subject:	[Snort-users] Alert turns up as ftp_telnet
Date:	Tue, 28 Aug 2007 11:36:19 -0700

At one point I was running snort and I was getting alerts that
corresponeded directly to the exploit I attempted. Now, I get ftp_telnet
alerts. What gives?

http://downloads.securityfocus.com/vulnerabilities/exploits/wuftpd-2.6.0-exp2.c


SNORT snort-2.6.1.5

/var/log/snort/alert (on 192.168.1.121)

[**] [1:553:7] POLICY FTP anonymous login attempt [**]
[Classification: Misc activity] [Priority: 3]
08/09-15:46:51.630779 192.168.1.121:54835 -> 192.168.1.136:21
TCP TTL:64 TOS:0x0 ID:3402 IpLen:20 DgmLen:62 DF
***AP*** Seq: 0x1E0C3C4B  Ack: 0xB33C7309  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1221541186 17773996

[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
08/09-15:46:51.632771 192.168.1.121:54835 -> 192.168.1.136:21
TCP TTL:64 TOS:0x0 ID:3403 IpLen:20 DgmLen:457 DF
***AP*** Seq: 0x1E0C3C55  Ack: 0xB33C734D  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1221541188 17773996
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:1972:16] FTP PASS overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
08/09-15:46:51.632771 192.168.1.121:54835 -> 192.168.1.136:21
TCP TTL:64 TOS:0x0 ID:3403 IpLen:20 DgmLen:457 DF
***AP*** Seq: 0x1E0C3C55  Ack: 0xB33C734D  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1221541188 17773996
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0895][Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0126][Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1035][Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1539][Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1519][Xref => 
http://www.securityfocus.com/bid/9285][Xref => 
http://www.securityfocus.com/bid/8601][Xref => 
http://www.securityfocus.com/bid/3884][Xref => 
http://www.securityfocus.com/bid/1690][Xref => 
http://www.securityfocus.com/bid/10720][Xref => 
http://www.securityfocus.com/bid/10078]

[**] [1:1748:8] FTP command overflow attempt [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
08/09-15:46:51.632771 192.168.1.121:54835 -> 192.168.1.136:21
TCP TTL:64 TOS:0x0 ID:3403 IpLen:20 DgmLen:457 DF
***AP*** Seq: 0x1E0C3C55  Ack: 0xB33C734D  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1221541188 17773996
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0606][Xref => 
http://www.securityfocus.com/bid/4638]

[**] [1:648:7] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
08/09-15:46:51.636024 192.168.1.136:21 -> 192.168.1.121:54835
TCP TTL:64 TOS:0x10 ID:143 IpLen:20 DgmLen:480 DF
***AP*** Seq: 0xB33C734D  Ack: 0x1E0C3DEA  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 17773997 1221541188
[Xref => http://www.whitehats.com/info/IDS181]

[**] [1:361:15] FTP SITE EXEC attempt [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/09-15:47:01.637579 192.168.1.121:54835 -> 192.168.1.136:21
TCP TTL:64 TOS:0x0 ID:3406 IpLen:20 DgmLen:66 DF
***AP*** Seq: 0x1E0C3DEA  Ack: 0xB33C7594  Win: 0x7D  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1221551192 17773999
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0955][Xref => 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0080][Xref => 
http://www.securityfocus.com/bid/2241][Xref => 
http://www.whitehats.com/info/IDS317


Now I am getting alerts that look like this!


08/28-09:52:29.622502  [**] [125:6:1] <eth0> (ftp_telnet) FTP response message 
was too long [**] {TCP} 192.168.1.122:21 -> 192.168.1.114:53757 [2:830]
[**] [125:3:1] (ftp_telnet) FTP command parameters were too long [**]
08/28-10:13:40.220803 192.168.1.114:41513 -> 192.168.1.122:21
TCP TTL:64 TOS:0x0 ID:20829 IpLen:20 DgmLen:457 DF
***AP*** Seq: 0x536DA099  Ack: 0xFA91F5D0  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2843737552 237713562

08/28-10:13:40.220803  [**] [125:3:1] <eth0> (ftp_telnet) FTP command 
parameters were too long [**] {TCP} 192.168.1.114:41513 -> 192.168.1.122:21 
[2:831]
[**] [125:6:1] (ftp_telnet) FTP response message was too long [**]
08/28-10:13:40.221006 192.168.1.122:21 -> 192.168.1.114:41513
TCP TTL:64 TOS:0x10 ID:49325 IpLen:20 DgmLen:480 DF
***AP*** Seq: 0xFA91F5D0  Ack: 0x536DA22E  Win: 0x36  TcpLen: 32
TCP Options (3) => NOP NOP TS: 237713562 2843737552

08/28-10:13:40.221006  [**] [125:6:1] <eth0> (ftp_telnet) FTP response message 
was too long [**] {TCP} 192.168.1.122:21 -> 192.168.1.114:41513 [2:832]
[**] [125:3:1] (ftp_telnet) FTP command parameters were too long [**]
08/28-10:13:54.079879 192.168.1.114:41514 -> 192.168.1.122:21
TCP TTL:64 TOS:0x0 ID:908 IpLen:20 DgmLen:457 DF
***AP*** Seq: 0x8E0F247D  Ack: 0xFB57457A  Win: 0x5C  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2843751410 237717027


-- 
Brian Lavender
http://www.brie.com/brian/

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] Alert turns up as ftp_telnet, Brian Lavender <=

Previous by Date:	Re: [Snort-users] Taking Down Wifi, James Lay
Next by Date:	Re: [Snort-users] Taking Down Wifi, Quantum Scientific
Previous by Thread:	[Snort-users] Sensor insertion options., Paul Halliday
Next by Thread:	[Snort-users] Job Opportunity with Checkpoint as QA Lead Manager, Matthew Hull
Indexes:	[Date] [Thread] [Top] [All Lists]

[Snort-users] Alert turns up as ftp_telnet