From DNSstuff they include
WEB-CLIENT Malformed PNG detected iTXt overflow attempt
WEB-CLIENT Malformed PNG detected tEXt overflow attempt (example below)
WEB-CLIENT Malformed PNG detected iCCP overflow attempt
Intrusion Protection Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: WEB-CLIENT Malformed PNG detected tEXt overflow attempt
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=6700
Time...........: 2009:06:19-01:09:30
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Attempted User Privilege Gain IP protocol....: 6 (TCP)
Source IP address: 74.53.59.133 (85.3b.354a.static.theplanet.com)
Source port: 80 (http)
Destination IP address: 192.168.1.253 (My General PC I browsed from)
Destination port: 3846
An error from SNORT included
Intrusion Protection Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: WEB-CLIENT Malformed PNG detected iCCP overflow attempt
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=6690
Time...........: 2009:06:19-01:09:11
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Attempted User Privilege Gain IP protocol....: 6 (TCP)
Source IP address: 68.177.102.20 (Snort :: Home Page)
Source port: 80 (http)
Destination IP address: 192.168.1.253 (My General PC I browsed from)
Destination port: 3823
As well neither SNORT links to details work, they come up with 404, but I believe this was addressed here.
http://www.astaro.org/astaro-beta-versions/asg-v7-500-beta/26169-confirmed-fixed-10610-7-450-bug-link-snort-notification-leads-error-404-a.html
Another rather startling one, was from astaro ftp servers [:O]
Intrusion Protection Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: SHELLCODE x86 NOOP
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=648
Time...........: 2009:06:18-23:53:02
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Executable code was detected IP protocol....: 6 (TCP)
Source IP address: 128.242.114.245
- Where are my results?
- Query the RIPE Database
- ARIN: WHOIS Database Search
- APNIC - Query the APNIC Whois Database
Source port: 58046
Destination IP address: 192.168.1.253
- Where are my results?
- Query the RIPE Database
- ARIN: WHOIS Database Search
- APNIC - Query the APNIC Whois Database
Destination port: 1272 (cspmlockmgr)
Even ones from google [:O]
Intrusion Protection Alert
An intrusion has been detected. The packet has been dropped automatically.
You can toggle this rule between "drop" and "alert only" in WebAdmin.
Details about the intrusion alert:
Message........: WEB-CLIENT wmf file arbitrary code execution attempt
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=5318
Time...........: 2009:06:18-19:48:37
Packet dropped.: yes
Priority.......: 1 (high)
Classification.: Web Application Attack
IP protocol....: 6 (TCP)
Source IP address: 209.85.227.136 (wy-in-f136.google.com)
- Where are my results?
- Query the RIPE Database
- ARIN: WHOIS Database Search
- APNIC - Query the APNIC Whois Database
Source port: 80 (http)
Destination IP address: 192.168.1.253
- Where are my results?
- Query the RIPE Database
- ARIN: WHOIS Database Search
- APNIC - Query the APNIC Whois Database
Destination port: 1848 (fjdocdist)
Could this a result of a more sensitive IPS system which is incomplete? While posting this I have just received a ton more from different websites.
I use to get 1 mabe 2 logged IPS attacks every other day, now I have got "IPS: 88 attacks blocked" in the past hour and a half of the new day (1:30am here) [:O]
