![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: problems in understanding snort alerts
From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Sat, 25 Jul 2009 16:56:54 -0400
I'll take a crack at it. Here are the rules that triggered those alerts. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar access"; flow:to_server,established; uricontent:"/calendar"; nocase; metadata:service http; classtype:attempted-recon; sid:882; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC nc.exe attempt"; flow:to_server,established; content:"nc.exe"; nocase; metadata:service http; classtype:web-application-activity; sid:1062; rev:7;) The alerts you gave indicate that the traffic is from an internal IP to an external IP. The rules are written such that they should only trigger on traffic from external IPs to HTTP servers you've defined. I would guess you haven't configured what your internal IP ranges are nor what your HTTP servers are (if any). The idea behind the first rule is that someone is trying to access calendars stored on your web server for recon purposes. In your case, someone on the internal network is accessing a site that includes "/calendar" in a URL somewhere. Not a big threat. In the second case the traffic is again the reverse of what the rule should be triggering on if you have everything configured correctly. It is simply looking for the string "nc.exe." The idea behind the rule is that nc.exe is the default executable name for netcat which is something you don't want someone pushing to your HTTP server. What front end are you using? Steve Mullins On Sat, Jul 25, 2009 at 12:55 PM, gone save<gonesave () gmail com> wrote:
hi, all. i am a newbie of snort, my snort send me some alerts and i really can't understand them. could any one help me out? following are the alerts: [**] [1:882:6] WEB-CGI calendar access [**] [Classification: Attempted Information Leak] [Priority: 2] 07/25-17:09:25.819198 192.168.1.100:3456 -> 64.233.189.154:80 TCP TTL:64 TOS:0x0 ID:43196 IpLen:20 DgmLen:929 DF ***AP*** Seq: 0x805579D5 Ack: 0xCD24FF3D Win: 0xB5C9 TcpLen: 32 TCP Options (3) => NOP NOP TS: 73585 2972519554 [**] [1:1062:7] WEB-MISC nc.exe attempt [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] 07/25-17:09:30.696473 192.168.1.100:3462 -> 64.233.189.154:80 TCP TTL:64 TOS:0x0 ID:43289 IpLen:20 DgmLen:1303 DF ***AP*** Seq: 0x8E344CC0 Ack: 0x27BA7E82 Win: 0xB5C9 TcpLen: 20 ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- problems in understanding snort alerts gone save (Jul 25)
- Re: problems in understanding snort alerts Stephen Mullins (Jul 25)