Snort mailing list archives
alert file
From: Zachary Uram <yoda () orion netrek org>
Date: 23 Oct 2002 22:12:44 -0400
Hi, How can I tell which snort alerts I should be concerned about and which are harmless? I was running various IDS programs but the trigger threshold seemed so low I was getting root mailed every 20 secs with some different sort of "alert" sheesh. Here is a small sample of my /var/log/snort/alert file which is now over 200Kb ! Do any of these entries seem troubling: (PS: Can someone explain exactly how I interpret these alerts? Perhaps if someone could take 1 of the examples below and explain in detail what it really is saying.) [**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**] [Classification: Web Application Attack] [Priority: 1] 05/31-08:44:22.007315 209.16.250.107:2333 -> 209.166.149.198:80 TCP TTL:113 TOS:0x0 ID:55556 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0xD9C61308 Ack: 0xF34FE080 Win: 0x4470 TcpLen: 20 [Xref => http://www.cert.org/advisories/CA-2001-19.html] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 05/31-08:44:23.305171 209.16.250.107:2409 -> 209.166.149.198:80 TCP TTL:113 TOS:0x0 ID:55894 IpLen:20 DgmLen:120 DF ***AP*** Seq: 0xDA026642 Ack: 0xF3814B1A Win: 0x4470 TcpLen: 20 [**] [1:1243:2] WEB-IIS ISAPI .ida attempt [**] [Classification: Web Application Attack] [Priority: 1] 06/09-07:33:03.245945 202.3.163.94:1043 -> 209.114.157.210:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1504 ***AP*** Seq: 0x13301FBD Ack: 0x81338CD8 Win: 0x7D78 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS552] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071] [**] [1:620:1] SCAN Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 06/02-01:04:42.380797 66.140.25.157:41323 -> 209.114.157.102:8080 TCP TTL:50 TOS:0x0 ID:4457 IpLen:20 DgmLen:60 DF ******S* Seq: 0xB1259605 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0 [**] [1:618:1] INFO - Possible Squid Scan [**] [Classification: Attempted Information Leak] [Priority: 2] 06/02-01:04:42.391610 66.140.25.157:41324 -> 209.114.157.102:3128 TCP TTL:50 TOS:0x0 ID:38290 IpLen:20 DgmLen:60 DF ******S* Seq: 0xB12412FE Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0 [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 66.140.25.157 (THRESHOLD 4 connections exceeded in 0 seconds) [**] 06/02-01:04:42.705097 [**] [100:2:1] spp_portscan: portscan status from 66.140.25.157: 5 connections across 1 hosts: TCP(5), UDP(0) [**] 06/02-01:45:57.095856 [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 06/11-16:58:24.731259 64.12.128.150 -> 209.166.149.133 ICMP TTL:240 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 209.166.149.133:1619 -> 64.12.163.214:21 TCP TTL:49 TOS:0x0 ID:23628 IpLen:20 DgmLen:60 DF Seq: 0xE413B5A3 Ack: 0x1030300 ** END OF DUMP [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] 06/21-04:04:16.206809 216.17.162.57 -> 209.114.157.5 ICMP TTL:25 TOS:0x0 ID:39126 IpLen:20 DgmLen:28 Type:8 Code:0 ID:32305 Seq:0 ECHO [Xref => http://www.whitehats.com/info/IDS162] [**] [1:477:1] ICMP Source Quench [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/24-06:36:42.576710 66.37.218.174 -> 209.114.157.24 ICMP TTL:237 TOS:0x0 ID:12946 IpLen:20 DgmLen:56 DF Type:4 Code:0 SOURCE QUENCH [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 09/28-10:12:25.898514 209.114.157.221 -> 209.114.157.222 ICMP TTL:127 TOS:0x0 ID:59706 IpLen:20 DgmLen:60 Type:8 Code:0 ID:49409 Seq:256 ECHO [Xref => http://www.whitehats.com/info/IDS154] [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 09/28-10:12:26.738515 209.114.157.221 -> 209.114.157.222 ICMP TTL:127 TOS:0x0 ID:59707 IpLen:20 DgmLen:60 Type:8 Code:0 ID:49409 Seq:512 ECHO [Xref => http://www.whitehats.com/info/IDS154] [**] [117:1:1] (spp_portscan2) Portscan detected from 216.23.79.73: 1 targets 21 ports in 34 seconds [**] 10/19-16:20:36.260326 216.23.79.73:80 -> 209.114.157.248:1643 TCP TTL:49 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF ***A**S* Seq: 0xD374503C Ack: 0xBF02541A Win: 0x16A0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 502137444 5021379 NOP TCP Options => WS: 0 [**] [1:613:1] SCAN myscan [**] [Classification: Attempted Information Leak] [Priority: 2] 10/20-03:36:59.790314 209.15.153.130:10101 -> 209.114.157.149:23 TCP TTL:243 TOS:0x0 ID:39291 IpLen:20 DgmLen:40 ******S* Seq: 0x64 Ack: 0x0 Win: 0x200 TcpLen: 20 [Xref => arachnids 439] Zach ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert file Zachary Uram (Oct 23)
- Re: alert file Alberto Gonzalez (Oct 23)
- Re: alert file Zachary Uram (Oct 23)
- Re: alert file Alberto Gonzalez (Oct 23)
- Re: alert file Zachary Uram (Oct 24)
- Re: alert file Zachary Uram (Oct 23)
- Re: alert file Alberto Gonzalez (Oct 23)
- Snort logging to mysql Edward W. Ray (Oct 23)