Snort mailing list archives
Where do I go from here
From: "Timothy A. Holmes" <tholmes () mcaschool net>
Date: Tue, 15 Nov 2005 14:15:49 -0500
Hi Folks: After some fits and starts, I believe that I have a functional IDS Box watching the front door now, and I took out the back door (Wireless ap) and repaired the hole in the wall with bricks and mortar So, I guess the next question is what is the next step? To summarize, I have a SNORT box up and sniffing on the inbound line between the Cable Modem and the Firewall. The management port is inside the firewall and has an IP on it while the sniffing port is outside the firewall and does not have one. I am logging to a mysql database, and running base for reporting. As of the last check, I have received about 4500 alerts today, here is the breakdown from base on them Displaying alerts 1-7 of 7 total < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_a
Signature >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_d
< <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class _a> Classification > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class _d> < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur _a> Total # > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur _d> Sensor # < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr _a> Source Address > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr _d> < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr _a> Dest. Address > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr _d> < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first _a> First > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first _d> < <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_ a> Last > <https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_ d> [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=3> ] (portscan) TCP Portsweep unclassified 55 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D=1&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=1&sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=1> 31 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=1> 2005-11-15 03:06:05 2005-11-15 13:12:23 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open Port unclassified 3679 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D=2&sig_type=1&submit=Query+DB&num_result_rows=-1> (33%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=2&sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=2> 302 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=2> 2005-11-15 03:06:08 2005-11-15 13:12:28 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=4> ] (http_inspect) BARE BYTE UNICODE ENCODING unclassified 444 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D=3&sig_type=1&submit=Query+DB&num_result_rows=-1> (4%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=3&sig_type=1> 2 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=3> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=3> 2005-11-15 00:37:16 2005-11-15 14:12:38 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=2> ] (http_inspect) DOUBLE DECODING ATTACK unclassified 21 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D=4&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=4&sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=4> 9 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=4> 2005-11-15 07:16:16 2005-11-15 12:38:53 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=15> ] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY unclassified 6 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D=6&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=6&sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=6> 3 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=6> 2005-11-15 10:43:42 2005-11-15 11:46:43 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1> ] (portscan) TCP Portscan unclassified 3 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D=9&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=9&sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=9> 3 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=9> 2005-11-15 10:36:26 2005-11-15 10:36:42 [snort <http://www.snort.org/pub-bin/sigs.cgi?sid=16> ] (http_inspect) OVERSIZE CHUNK ENCODING unclassified 3 <https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B 1%5D=13&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 1 <https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5 D=13&sig_type=1> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=13> 1 <https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si g%5B0%5D=%3D&sig%5B1%5D=13> 2005-11-15 11:45:36 2005-11-15 11:46:40 I guess I need to know what to do next and how to begin utilizing this data to better protect my network Anyone who can help, or point me to the proper resources would be greatly appreciated TIM Timothy A. Holmes IT Manager / Network Admin / Web Master / Computer Teacher Medina Christian Academy A Higher Standard... Jeremiah 33:3 Jeremiah 29:11 Esther 4:14
Current thread:
- Where do I go from here Timothy A. Holmes (Nov 15)
- <Possible follow-ups>
- RE: Where do I go from here Briggs, Bruce (Nov 15)
- RE: Where do I go from here Lee Clemens (Nov 15)
- RE: Where do I go from here Briggs, Bruce (Nov 15)
- Re: Where do I go from here Richard Bejtlich (Nov 15)