[Dshield] ISCAlert triggering Snort alerts

Castle, Shane scastle at co.boulder.co.us
Wed Aug 10 15:31:28 GMT 2005

My ISCAlert in the systray has started triggering Snort (bleeding-snort)
alerts.  Here is a synopsis:

Generated by BASE v1.1.2 (zora) on Wed, 10 Aug 2005 09:26:42 -0600

#(1 - 977224) [2005-08-10 09:10:52]
[url/securityresponse.symantec.com/avcenter/venc/data/vbs.postcard at mm.ht
 [snort/2001921]  BLEEDING-EDGE VIRUS - Greeting card gif.exe email
incoming HTTP
IPv4: ->
      hlen=5 TOS=0 dlen=1329 ID=55156 flags=0 offset=0 TTL=115
TCP:  port=80 -> dport: 1286  flags=***AP*** seq=1611421800
      ack=1445276535 off=5 res=0 win=5840 urp=0 chksum=62777
Payload:  length = 1289

I have the gory details of the rest of it.  I know why the alert is
triggered: the string 'postcard.gif.exe' occurs in the HTML.  What I
understand is why this HTML page is being requested/sent at all.

Shane Castle

More information about the list mailing list