Snort mailing list archives
RE: Snort within Astaro Secure Linux
From: "doug" <doug () ravennasprings com>
Date: Wed, 2 Mar 2005 14:26:29 -0800
It appears that my firewall has been compromised. I wanted to verify this with folks more familiar with snort. The logs are at the bottom of this message. It appears that an attack was initiated from 208.254.45.206 and succeeded in compromising my firewall within seven minutes, then continued the attack from the firewall itself. Can someone help me out with this? This would be a serious compromised of a well respected firewall. I'm very much interested in getting to the bottom of this. Regards, ~Doug Local logfile query Query term: DOS Time span: 2005-03-01 -> 2005-03-02 Intrusion Protection System 2005:03:01-12:32:10 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372 2005:03:01-12:32:13 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372 2005:03:01-12:32:19 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372 2005:03:01-12:32:31 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372 2005:03:01-12:32:55 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372 2005:03:01-12:33:43 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372 2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372 2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372 2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372 2005:03:02-12:50:00 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372 2005:03:02-12:50:01 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372 2005:03:02-12:50:02 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372 2005:03:02-12:50:06 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372 2005:03:02-12:50:12 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372 2005:03:02-12:50:26 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372 2005:03:02-12:50:53 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: <(null)> {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95&alloc_id396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort within Astaro Secure Linux doug (Mar 03)
- Re: Snort within Astaro Secure Linux Will Metcalf (Mar 04)
- <Possible follow-ups>
- RE: Snort within Astaro Secure Linux doug (Mar 03)