Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: problems in understanding snort alerts

From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Sat, 25 Jul 2009 16:56:54 -0400
I'll take a crack at it.

Here are the rules that triggered those alerts.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
calendar access"; flow:to_server,established; uricontent:"/calendar";
nocase; metadata:service http; classtype:attempted-recon; sid:882;
rev:6;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC nc.exe attempt"; flow:to_server,established;
content:"nc.exe"; nocase; metadata:service http;
classtype:web-application-activity; sid:1062; rev:7;)

The alerts you gave indicate that the traffic is from an internal IP
to an external IP.  The rules are written such that they should only
trigger on traffic from external IPs to HTTP servers you've defined.
I would guess you haven't configured what your internal IP ranges are
nor what your HTTP servers are (if any).  The idea behind the first
rule is that someone is trying to access calendars stored on your web
server for recon purposes.  In your case, someone on the internal
network is accessing a site that includes "/calendar" in a URL
somewhere.  Not a big threat.

In the second case the traffic is again the reverse of what the rule
should be triggering on if you have everything configured correctly.
It is simply looking for the string "nc.exe."  The idea behind the
rule is that nc.exe is the default executable name for netcat which is
something you don't want someone pushing to your HTTP server.

What front end are you using?

Steve Mullins

On Sat, Jul 25, 2009 at 12:55 PM, gone save<gonesave () gmail com> wrote:

hi, all. i am a newbie of snort, my snort send me some alerts and i really
can't understand them. could any one help me out? following are the alerts:

[**] [1:882:6] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
07/25-17:09:25.819198 192.168.1.100:3456 -> 64.233.189.154:80
TCP TTL:64 TOS:0x0 ID:43196 IpLen:20 DgmLen:929 DF
***AP*** Seq: 0x805579D5  Ack: 0xCD24FF3D  Win: 0xB5C9  TcpLen: 32
TCP Options (3) => NOP NOP TS: 73585 2972519554

[**] [1:1062:7] WEB-MISC nc.exe attempt [**]
[Classification: access to a potentially vulnerable web application]
[Priority:
2]
07/25-17:09:30.696473 192.168.1.100:3462 -> 64.233.189.154:80
TCP TTL:64 TOS:0x0 ID:43289 IpLen:20 DgmLen:1303 DF
***AP*** Seq: 0x8E344CC0  Ack: 0x27BA7E82  Win: 0xB5C9  TcpLen: 20

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: