Snort mailing list archives
Re: Linux and packet loss
From: Phil Wood <cpw () lanl gov>
Date: Thu, 2 Aug 2001 17:12:24 -0600
Jason, Just a few thoughts on this subject: In my case I don't want to see these events ever again. The net result of catching these was that my sql database machine ran up a 3Gig tab in 24 hours on the data, the partition was used up, and the 1,000,000 plus alerts in acid were lost to perpetuity. (most of those were ISAPI!). Also, all other logging ceased until I figured this out. Of course this is a perfect time to try some other forms of attack, because the sensors have all been disabled by a lack of anywhere to put the information. In fact, what snort did was hang on a read of a response from the sql daemon, resulting in never getting off the current packet. It did this on 3 systems which were all dependent on the sql server. Although it's nice to have the ACID interface to what's happening, I need to come up with a mechanism where capture is not in lock step with recording. Also, it was really silly of me to capture this stuff. Why? Because, the packets were not getting to a host that was vulnerable to the attack. All the code red infected machines (300,000+) that were pumping packets to port 80 on all the hosts on our class B were getting a response from a web proxy that told them to get their cryptocard out and get ready to do a little ssl dance. Live and learn. Later, On Fri, Aug 03, 2001 at 09:28:24AM +1200, Jason Haar wrote:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .XXX attempt"; uricontent:".XXX?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:attempted-admin; reference:cve,CAN-2000-0071; sid:1243; rev:1;)
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss, (continued)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Andreas Östling (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Daniel Harrison (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Martin Roesch (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Phil Wood (Aug 02)
- ACID and MySQL questions Jason Lewis (Aug 02)
- Re: ACID and MySQL questions meling (Aug 03)