SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder [Classification: Executable Code was Detected] [Priority: 1] {TCP} 192.168.202.50:60322 -> 192.168.22.252:445
1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) Which ip is the attacker?
2)Data on SYN packet [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.199.58:63000 -> 192.168.28.100:60000
1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) in which part of the snort architecture this alert came from?
3)SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - udp port 407 [Classification: Misc activity] [Priority: 3] {UDP} 192.168.199.58:59173 -> 192.168.22.201:407 1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) who is host and who is victim?
4) snort: [1:3815:6] SMTP eXchange POP3 mail server overflow attempt [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.199.58:60327 -> 192.168.21.151:25 1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) who is host and who is attacker?
I have done a ton of searchers but could not understand or find any details information about those signature. please help
So, let me structure this in one Answer:
1)
This event indicates that shellcode has been detected in network traffic
so if that code gets through, and gets executed you end up with a backdoor.
192.168.202.50:60322 seems to be the attacking IP and it is trying to exploit some vulnerability on the Windows box 192.168.22.252:445
2)
3)
4)
But in all those cases, it seems 192.168.199.58 is probably exploited, or something from that box is probing the LAN network..
I would also scan 192.168.199.50 and .58 to figure out who is on those boxes, any current connections from foreign addresses, that might have exploited these two boxes..