SnortSnarf alert page

Source: 195.150.76.184

SnortSnarf v021111.1

Signature section (16810)

Top 20 source IPs

Top 20 dest IPs

5 such alerts found using input module SnortFileInput, with sources:

/var/log/snort/alert

Earliest: 17:46:56.024131 on 10/18/2009
Latest: 01:49:15.819470 on 10/19/2009

2 different signatures are present for 195.150.76.184 as a source

1 instances of (http_inspect) IIS UNICODE CODEPOINT ENCODING
4 instances of WEB-MISC Invalid HTTP Version String

There are 1 distinct destination IPs in the alerts of the type on this page.

195.150.76.184 Whois lookup at: ARIN RIPE APNIC Geektools

DNS lookup at: Amenesi TRIUMF Princeton

More lookup links: Dshield Sam Spade

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
10/18-17:46:56.024131 195.150.76.184:51652 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:553
***AP*** Seq: 0x35C5C93D  Ack: 0x3EFD967  Win: 0xFAF0  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
10/18-17:47:48.202305 195.150.76.184:51673 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:349
***AP*** Seq: 0x3675A719  Ack: 0x79BB42E  Win: 0x81F0  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
10/19-01:41:32.984667 195.150.76.184:51585 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:553
***AP*** Seq: 0xD5081F03  Ack: 0x506F0D6  Win: 0xF9AB  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

[**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**]
10/19-01:41:49.309996 195.150.76.184:51605 -> 192.168.24.11:80
TCP TTL:38 TOS:0x0 ID:2301 IpLen:20 DgmLen:376
***AP*** Seq: 0xD5621CE5  Ack: 0x544AFCD  Win: 0xFAF0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 50808 373810805

[**] [1:2570:7] WEB-MISC Invalid HTTP Version String [**]
[Classification: Detection of a non-standard protocol or event] [Priority: 2] 
10/19-01:49:15.819470 195.150.76.184:51909 -> 192.168.24.11:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:359
***AP*** Seq: 0xDCA71331  Ack: 0x212A2D55  Win: 0xFAF0  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11593][Xref => http://www.securityfocus.com/bid/9809]

SnortSnarf brought to you courtesy of Silicon Defense
Authors: Jim Hoagland and Stuart Staniford
See also the Snort Page by Marty Roesch
Page generated at Tue Sep 14 05:05:26 2010

195.150.76.184	Whois lookup at:	ARIN	RIPE	APNIC	Geektools
	DNS lookup at:	Amenesi	TRIUMF	Princeton
	More lookup links:	Dshield	Sam Spade