[Dshield] ISCAlert triggering Snort alerts

Castle, Shane scastle at co.boulder.co.us
Wed Aug 10 15:31:28 GMT 2005


My ISCAlert in the systray has started triggering Snort (bleeding-snort)
alerts.  Here is a synopsis:

Generated by BASE v1.1.2 (zora) on Wed, 10 Aug 2005 09:26:42 -0600

------------------------------------------------------------------------
------
#(1 - 977224) [2005-08-10 09:10:52]
[url/securityresponse.symantec.com/avcenter/venc/data/vbs.postcard at mm.ht
ml]
 [snort/2001921]  BLEEDING-EDGE VIRUS - Greeting card gif.exe email
incoming HTTP
IPv4: 65.173.218.98 -> 192.168.3.250
      hlen=5 TOS=0 dlen=1329 ID=55156 flags=0 offset=0 TTL=115
chksum=19104
TCP:  port=80 -> dport: 1286  flags=***AP*** seq=1611421800
      ack=1445276535 off=5 res=0 win=5840 urp=0 chksum=62777
Payload:  length = 1289
------------------------------------------------------------------------
------

I have the gory details of the rest of it.  I know why the alert is
being
triggered: the string 'postcard.gif.exe' occurs in the HTML.  What I
don't
understand is why this HTML page is being requested/sent at all.

--
Shane Castle



More information about the list mailing list