Snort mailing list archives
Sneeze
From: Peggy Kam <ppkam () n-dsi com>
Date: Fri, 06 Feb 2004 16:17:34 -0500
Hi,I believe that I was able to get sneeze running properly. ie. when I tried running the following command on 192.168.22.205: ./sneeze.pl -d 192.168.22.205 -f /prod/etc/snort/dos.rules -s 192.168.22.123 -i eth0
it generates the following: ATTACK: :45068 -> 192.168.22.205:64238 ATTACK: DOS Jolt attack ATTACK TYPE: attempted-dos ip :28282 -> 192.168.22.205:25713 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0345 ATTACK: DOS Teardrop attack ATTACK TYPE: attempted-dos udp :41624 -> 192.168.22.205:1658 Reference => http://www.securityfocus.com/bid/124 Reference => http://www.cert.org/advisories/CA-1997-28.html Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0015 ATTACK: DOS UDP echo+chargen bomb ATTACK TYPE: attempted-dos udp :19 -> 192.168.22.205:7 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0103 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0635 ATTACK: DOS IGMP dos attack ATTACK TYPE: attempted-dos ip :46144 -> 192.168.22.205:35580 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0918 ATTACK: DOS IGMP dos attack ATTACK TYPE: attempted-dos ip :38226 -> 192.168.22.205:53283 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0918 ATTACK: DOS ath ATTACK TYPE: attempted-dos icmp :45358 -> 192.168.22.205:55818 Reference => http://www.whitehats.com/info/IDS264 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1228 ATTACK: DOS NAPTHA ATTACK TYPE: attempted-dos tcp :33887 -> 192.168.22.205:24469 Reference => http://www.securityfocus.com/bid/2022 Reference => http://razor.bindview.com/publish/advisories/adv_NAPTHA.html Reference => http://www.cert.org/advisories/CA-2000-21.html Reference => http://www.microsoft.com/technet/security/bulletin/MS00-091.asp Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1039 ATTACK: DOS Real Audio Server ATTACK TYPE: attempted-dos tcp :49921 -> 192.168.22.205:7070 Reference => http://www.whitehats.com/info/IDS411 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474 Reference => http://www.securityfocus.com/bid/1288 ATTACK: DOS Real Server template.html ATTACK TYPE: attempted-dos tcp :41169 -> 192.168.22.205:7070 Reference => http://www.securityfocus.com/bid/1288 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474 ATTACK: DOS Real Server template.html ATTACK TYPE: attempted-dos tcp :3084 -> 192.168.22.205:8080 Reference => http://www.securityfocus.com/bid/1288 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474 ATTACK: DOS Bay/Nortel Nautica Marlin ATTACK TYPE: attempted-dos udp :55377 -> 192.168.22.205:161 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0221 Reference => http://www.securityfocus.com/bid/1009 ATTACK: DOS Ascend Route ATTACK TYPE: attempted-dos udp :13038 -> 192.168.22.205:9 Reference => http://www.whitehats.com/info/IDS262 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0060 Reference => http://www.securityfocus.com/bid/714 ATTACK: DOS arkiea backup ATTACK TYPE: attempted-dos tcp :7017 -> 192.168.22.205:617 Reference => http://www.whitehats.com/info/IDS261 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0788 Reference => http://www.securityfocus.com/bid/662 ATTACK: DOS Winnuke attack ATTACK TYPE: attempted-dos tcp :31843 -> 192.168.22.205:135:139 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0153 Reference => http://www.securityfocus.com/bid/2010 ATTACK: DOS MSDTC attempt ATTACK TYPE: attempted-dos tcp :14970 -> 192.168.22.205:3372 Reference => http://www.securityfocus.com/bid/4006 ATTACK: DOS iParty DOS attempt ATTACK TYPE: misc-attack tcp :18936 -> 192.168.22.205:6004 Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1566 ATTACK: DOS DB2 dos attempt ATTACK TYPE: denial-of-service tcp :24671 -> 192.168.22.205:6789:6790 ATTACK: DOS Cisco attempt ATTACK TYPE: web-application-attack tcp :65150 -> 192.168.22.205:80However, I do not see any alerts generated in the alert file. and when run tcpdump -i eth0, no packets were seen.
Am I missing something? Thanks in advance, Peggy ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Has any one tried SnorcCenter with Snort 2.1.1-RC1? crazy (Feb 06)
- alert_syslog Peggy Kam (Feb 06)
- Re: alert_syslog Josh Berry (Feb 06)
- Re: alert_syslog Peggy Kam (Feb 06)
- Re: alert_syslog Owen McCusker (Feb 06)
- Sneeze Peggy Kam (Feb 06)
- Re: alert_syslog Josh Berry (Feb 06)
- alert_syslog Peggy Kam (Feb 06)
- <Possible follow-ups>
- Has any one tried SnorcCenter with Snort 2.1.1-RC1? crazy (Feb 07)
- Re: Has any one tried SnorcCenter with Snort 2.1.1-RC1? Jason Alexander (Feb 09)