Snort mailing list archives
Re: My Webservers Are Showing Up In My Alerts
From: "Vadim Pushkin" <wiskbroom () hotmail com>
Date: Fri, 14 Jun 2002 00:24:22 +0000
I already did that, in fact I have this instead:alert tcp $EXTERNAL_NET any -> !$HTTP_SERVERS 8080 (msg:"SCAN Proxy \(8080\) attempt"; flags:S; classtype:attempted-recon; sid:620; rev:2;)
The problem is that these are ALSO my proxy servers running Squid. As such, they are the spring broard into "other" peoples webservers. Because of this I get alot of WEB-cgi calendar, WEB-IIS scripts, etc to these machines. Should I add a "!" into ALL of my rules? I hope not :-) Thanks again, Vad
From: matt <mkettler () evi-inc com>To: "Vadim Pushkin" <wiskbroom () hotmail com>, snort-users () lists sourceforge netSubject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts Date: Thu, 13 Jun 2002 18:38:18 -0400 Ahh you're probably getting "SCAN Proxy Attempt" alerts, since port 8080 (along with 1080) often used for socks proxy servers. Snort's default ruleset assumes any attempt to connect to port 8080 is someone scanning for proxy servers to abuse. go into scan.rules and comment out this rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy attempt";flags:S; classtype:attempted-recon; sid:620; rev:1;) and that should quiet your alerts. At 10:26 PM 6/13/2002 +0000, Vadim Pushkin wrote:Hi and thank you, They are merely access to my port 8080, not breakins at all. Perhaps they are percived this way due to my port change? I do not know. My servers listen on port 8080 and the users are legit, mostly internal. VadimFrom: Matt Kettler <mkettler () evi-inc com> To: "Vadim Pushkin" <wiskbroom () hotmail com>, snort-users () lists sourceforge net Subject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts Date: Thu, 13 Jun 2002 17:34:34 -0400 Well, that's not surprising.. A lot of the alerts you see are likely to things like codered, IIS cmd.exe and other such things, directory traversals, etc. These usually represent actual attack attempt on your webserver. It isusually being done by a virus or an automated tool. It's not uncommon for a webserver to see dozens of these a day. The net is a brutal place, and it's not uncommon to see a network block have exploit attempts hundreds of timesper day. Particularly if snort is watching unfiltered traffic in front of your firewall.My best recommendation is that if the alerts bother you, and you KNOW thatyour webserver cannot possibly be vulnerable, comment out the rule in the .rules file. (for example, if all your webservers are BSD or Linux Apache webservers it's pretty safe to comment out the cmd.exe rule). It is important to note however that they aren't false alerts, they areusually genuine attempts to penetrate your webserver to run malicious code. Snort takes the stand of having alerts for attempts, even if they were notsuccessful, because most events that do result in a real compromise are "noisy" in that they have a lot of failed attempts preceding the one that succeeded. At 07:18 PM 6/13/2002 +0000, Vadim Pushkin wrote:Greetings Fellowes; My snort.conf has the following entries: var HTTP_SERVERS [192.168.11.41/32,192.168.11.42/32,192.168.11.43/32,192.168.11.44/32] # Above is all on one line var HTTP_SERVERS_PORT 8080 Several of my rules have port 80 replaced with $HTTP_SERVERS_PORT. I am getting ALOT of alerts for these as either source or dest. How can I prevent this? Thank you kindly, -vadim Vadim (Ukranian Stallion) Pushkin _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-vadim Vadim (Ukranian Stallion) Pushkin _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
-vadim Vadim (Ukranian Stallion) Pushkin _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Matt Kettler (Jun 13)
- <Possible follow-ups>
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts matt (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts matt (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Muhammad Faisal Rauf Danka (Jun 13)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 14)
- Re: My Webservers Are Showing Up In My Alerts Vadim Pushkin (Jun 14)