Security Basics mailing list archives
IPS log analysis
From: erika_cispp () yahoo com
Date: 11 May 2008 11:58:43 -0000
My department has tasked me with keeping an eye on IPS logs for several customers. So far so good, until I came across this the other day. Has anyone seen this before? The customer says the traffic is definitely not coming from them, but my co-worker says it is not malicious. It is showing up on their app database logs. 9 0474: MS-SQL/SMB: sp_OACreate Program Execution Major 4 10.1.4.x 10.1.4.x Permit 10 0472:MS-SQL/SMB: sp_password Password Change Major 4 0.1.4.x 10.1.4.x Permit 22 0460: MS-SQL/SMB: raiserror Access Major 2 10.1.4.x 10.1.4.x Permit Nothing else is ever permitted; it is always blocked. Also this is the first time I have seen a natted source IP. Typical "normal" log entry 23 3885: HTTP: PHP File Include Exploit Critical 2 80.93.207.x 10.1.4.x Block Any help would be appreciated
Current thread:
- IPS log analysis erika_cispp (May 12)
- Re: IPS log analysis LGM (May 12)
- <Possible follow-ups>
- Re: IPS log analysis erika_cissp (May 12)
- RE: IPS log analysis Sergio Castro (May 12)