Snort mailing list archives
Same alerts generation
From: hlima () pbh gov br
Date: Thu, 23 Oct 2003 09:19:46 +0300 (BRT)
Hello all. I've been using SNORT 2.0.0 for a couple of weeks and Oinkmaster to update its rules. The reason why I'm writing this email is that I have been getting the following same 8 alerts: 1 - 09/26-11:18:03.541838 [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] {ICMP} 200.183.85.231 -> 200.186.217.147 2 -10/03-11:06:20.603344 [**] [1:1841:2] WEB-CLIENT javascript URL host spoofing a ttempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 200.162.176.13:80 -> 200.186.217.173:35854 3 - 10/03-11:21:23.020325 [**] [1:615:3] SCAN SOCKS Proxy attempt [**] [Classificat ion: Attempted Information Leak] [Priority: 2] {TCP} 211.216.81.175:1044 -> 200. 186.217.147:1080 4 - 10/08-18:41:04.295973 [**] [1:2003:2] MS-SQL Worm propagation attempt [**] [Cla ssification: Misc Attack] [Priority: 2] {UDP} 66.248.98.112:3020 -> 200.186.217. 146:1434 5 - 10/08-21:23:02.344940 [**] [1:620:3] SCAN Proxy (8080) attempt [**] [Classifica tion: Attempted Information Leak] [Priority: 2] {TCP} 68.170.234.106:0 -> 200.18 6.217.147:8080 7 - 10/08-21:48:42.671706 [**] [1:618:4] SCAN Squid Proxy attempt [**] [Classificat ion: Attempted Information Leak] [Priority: 2] {TCP} 68.170.234.106:0 -> 200.186 .217.147:3128 8 - 10/20-07:12:54.320578 [**] [1:485:2] ICMP Destination Unreachable (Communicatio n Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] {ICMP} 200.186.217.129 -> 200 .186.217.173 My network is big and I THINK I could be getting more alerts.I have configured the snort.conf file informing my HOMEnet, the EXTERNAL_NET, my DNS and SMTP severs. Have not edited anything else on this file. On this same file there are some rules files that are commented out like backdoor.rules porn.rules policy.rules chat.rules etc They were automatically commented out when I installed SNORT 2.0.0 Still the majority of rules file are enabled. Please someone give some suggestion regarding enabling those rules above or whether I should inform something else on the snort.conf file. Should I still install the newest SNORT version even having the Oinkmaster software updating my rules? Thanks in Advance Henrique de Lima ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Same alerts generation hlima (Oct 22)
- <Possible follow-ups>
- Same alerts generation hlima (Oct 25)