SnortSnarf alert page

Source: 130.54.208.201

SnortSnarf v021111.1

Signature section (16810)

Top 20 source IPs

Top 20 dest IPs

25 such alerts found using input module SnortFileInput, with sources:

/var/log/snort/alert

Earliest: 17:42:25.756456 on 10/06/2009
Latest: 10:28:39.889033 on 09/04/2010

6 different signatures are present for 130.54.208.201 as a source

1 instances of (http_inspect) OVERSIZE CHUNK ENCODING
2 instances of (http_inspect) IIS UNICODE CODEPOINT ENCODING
3 instances of (http_inspect) BARE BYTE UNICODE ENCODING
3 instances of (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
5 instances of WEB-MISC robots.txt access
11 instances of WEB-MISC Invalid HTTP Version String

There are 1 distinct destination IPs in the alerts of the type on this page.

130.54.208.201 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**]
10/06-17:42:25.756456 130.54.208.201:63363 -> 192.168.24.11:80
TCP TTL:48 TOS:0x0 ID:37468 IpLen:20 DgmLen:1312
***AP*** Seq: 0x787C209E  Ack: 0xCEF6BDF  Win: 0x5B4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2054631513 107424463

[**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**]
10/06-17:42:37.278287 130.54.208.201:63354 -> 192.168.24.11:80
TCP TTL:48 TOS:0x0 ID:42864 IpLen:20 DgmLen:1312
***AP*** Seq: 0x78641A4A  Ack: 0xD9D5AEE  Win: 0x5B4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 2054634394 107427344

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
10/06-17:45:51.243602 130.54.208.201:63417 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:3912
***AP*** Seq: 0x843371D6  Ack: 0x1AAFD263  Win: 0x6C0  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
11/13-09:17:42.542947 130.54.208.201:61902 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:15326
***AP*** Seq: 0x723827AB  Ack: 0xC7ADD43C  Win: 0x3E96  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
11/13-16:53:37.043569 130.54.208.201:64094 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:9719
***AP*** Seq: 0x2D2B399C  Ack: 0x8221DCBD  Win: 0x102C  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
11/13-16:53:45.795996 130.54.208.201:60019 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:10215
***AP*** Seq: 0x2D8BB114  Ack: 0x81EBDCDC  Win: 0x3E96  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
11/13-16:54:05.352384 130.54.208.201:64078 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:9002
***AP*** Seq: 0x2D965E40  Ack: 0x8219CA64  Win: 0x3E96  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
11/14-10:34:21.605722 130.54.208.201:60471 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:7725
***AP*** Seq: 0xD1B436FC  Ack: 0x273118AF  Win: 0x3E96  TcpLen: 20

[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
11/14-10:34:21.849633 130.54.208.201:60487 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:10633
***AP*** Seq: 0xD2081AA9  Ack: 0x26BB4D3D  Win: 0x3E96  TcpLen: 20

[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
11/20-08:55:57.084042 130.54.208.201:63639 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:6492
***AP*** Seq: 0xD2C8F315  Ack: 0x269D5E8B  Win: 0x3E96  TcpLen: 20

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
11/21-08:36:38.673563 130.54.208.201:60431 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:10775
***AP*** Seq: 0xC7CF0E7F  Ack: 0x1B584DC3  Win: 0x3E96  TcpLen: 20

[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
12/10-19:59:39.402453 130.54.208.201:60809 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:2918
***AP*** Seq: 0x7183CC67  Ack: 0xC65AEB26  Win: 0x21DD  TcpLen: 20

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
12/18-09:05:06.217337 130.54.208.201:63926 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:7788
***AP*** Seq: 0xB8448C21  Ack: 0xD53A204  Win: 0x3E96  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
12/18-09:05:07.993953 130.54.208.201:63930 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:7825
***AP*** Seq: 0xB861A5C9  Ack: 0xD4CCFE6  Win: 0x3E96  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
01/05-11:28:18.426600 130.54.208.201:62628 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:2240
***AP*** Seq: 0x2D196133  Ack: 0x836D592A  Win: 0x3020  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
07/11-16:50:18.862240 130.54.208.201:62300 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:7197
***AP*** Seq: 0xB0652105  Ack: 0x9CB1C50E  Win: 0x3E96  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [1:1852:3] WEB-MISC robots.txt access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
07/12-10:55:19.032252 130.54.208.201:63687 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:5412
***AP*** Seq: 0xB1C33A0A  Ack: 0x9DFB615E  Win: 0x3E96  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10302]

[**] [1:1852:3] WEB-MISC robots.txt access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
07/14-10:09:47.746745 130.54.208.201:62669 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:5244
***AP*** Seq: 0x8204B927  Ack: 0x6DAC56DB  Win: 0x3E96  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10302]

[**] [1:1852:3] WEB-MISC robots.txt access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
07/20-08:51:55.326893 130.54.208.201:63852 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:5888
***AP*** Seq: 0xCDC471BB  Ack: 0xBB5080BE  Win: 0x6C0  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10302]

[**] [1:1852:3] WEB-MISC robots.txt access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
07/21-10:21:06.084371 130.54.208.201:63703 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:6563
***AP*** Seq: 0x5D424AF9  Ack: 0x494232D1  Win: 0x1C35  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10302]

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
07/30-13:50:25.735881 130.54.208.201:60868 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:10863
***AP*** Seq: 0x9E19073F  Ack: 0x8B7DDBC1  Win: 0x3E96  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
08/06-09:51:04.068161 130.54.208.201:60210 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:6610
***AP*** Seq: 0xC833DF24  Ack: 0xB4A5BBFF  Win: 0x3E96  TcpLen: 20

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
08/06-09:51:04.117123 130.54.208.201:60208 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:8378
***AP*** Seq: 0xC795A0BE  Ack: 0xB4A7AEFF  Win: 0x3E96  TcpLen: 20

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
08/30-16:41:30.878689 130.54.208.201:63787 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:11138
***AP*** Seq: 0xA18C2119  Ack: 0x8EC6EF6D  Win: 0x3E96  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [1:1852:3] WEB-MISC robots.txt access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2] 
09/04-10:28:39.889033 130.54.208.201:62058 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1185
***AP*** Seq: 0x56510D7B  Ack: 0x4B4D430E  Win: 0x3E96  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10302]

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Sep 14 05:05:24 2010

130.54.208.201	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade