LJ Archive

Listing 2. Common Snort Alerts

[**] spp_http_decode: IIS Unicode attack detected [**]
03/07-11:10:40.910903 192.168.0.1:3607 -> 192.168.1.2:80
TCP TTL:249 TOS:0x0 ID:22898 IpLen:20 DgmLen:1022 DF
***AP*** Seq: 0x552997B8  Ack: 0xE39D7CB1  Win: 0x4470  TcpLen: 20

[**] IDS198/SYN FIN Scan [**]
03/13-01:38:45.254726 192.168.1.3:53 -> 192.168.0.1:53
TCP TTL:23 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x4D622A79  Ack: 0x7EEF29AF  Win: 0x404  TcpLen: 20

03/15-19:36:23.468056
[**] spp_portscan: PORTSCAN DETECTED from 192.168.2.25 (THRESHOLD 3
connections exceeded in 4 seconds) [**]
03/15-19:36:39.561360
[**] spp_portscan: portscan status from 192.168.3.25: 5 connections
across 1
hosts: TCP(0), UDP(5) [**]
LJ Archive