Snort mailing list archives
Re: http_inspect message
From: Mario Remy Almeida <mario.almeida () gmail com>
Date: Mon, 19 Sep 2011 03:06:43 +0400
Hi Martin, Yes, Its a DOS attack on TCP port 80, My sever goes down only if I start Apache which runs on port 80. Thats the reason I have put the iptable rule. Only port allowed by our ISP to our server is TCP port 80 and 443. I have attache an excel file about my findings as per the snort alert. If you are free and can have a look will be a great help. On Mon, Sep 19, 2011 at 2:34 AM, Martin Holste <mcholste () gmail com> wrote:
Are you sure it's a DOS? How do you know? Are these web requests? Web server logs are the place to start. If you are under a DOS attack, and it's just a TCP (not HTTP) attack, then you are on the right track with the iptables config changes. I'd also be making similar tweaks on the upstream firewall. Since you already know you're under attack, then you're not really trying to detect intrusions. If you're not sure what kind of attack you're under, then the many DOS rules in the signatures may help guide you. Otherwise, set aside the IDS for now and focus on containing the incident. If the incident is not contained, then you need to focus on getting the incoming connections blocked (as you've done). You may also want to look into null-routing instead of using firewall blocks. After containment, focus on collecting log evidence and opening a case with your local law enforcement as soon as possible. Make sure you're getting logs from multiple devices--preferably NetFlow from your router(s) and build/teardown/deny messages from your firewall(s). If you have received any communications from the attackers by way of email, make sure these are saved in their original form for evidence as well. On Sun, Sep 18, 2011 at 3:15 PM, Mario Remy Almeida <mario.almeida () gmail com> wrote:Hi Martin Actually I company web site is under attack, there are trons of new connection form different IPs. At present with iptables I have set 25 connection p/s (--state NEW) after this server seems to be normal. I recommended to snort to my man agent to give a try, with the subscription we download the rule sets too. but now I am lost. I have enable all the rules from dos and ddos rule files. Let me enable all the rules from backdoor.rules and watch for alerts. You mean signatures, that is the rule set right? On Sun, Sep 18, 2011 at 10:51 PM, Martin Holste <mcholste () gmail com> wrote:No, you are not under DOS attack. This is a very common message from the http preprocessor. Actually, the http preproc will create many, many messages like this, almost all of which can be safely ignored until you are more familiar with Snort. I recommend that you ignore alerts from all of the preprocessors until *AFTER* you have mastered the regular rules. By this I mean worry first about any signatures which have the "trojan-activity" classification or are SQL injection signatures. Also, take this opportunity to add a heartbeat signature so you'll know for sure if you're dropping packets (you can safely skip this step if you are monitoring a link with < 100 Mbit/sec). Once you've your normal ruleset tuned and have responded to the malware infections that you probably just found now that you've got something other than AV keeping an eye on things, you can proceed to check out the alerts generated by the preprocessors. On Sun, Sep 18, 2011 at 12:10 PM, Mario Remy Almeida <mario.almeida () gmail com> wrote:Dear All, I am new to snort. I get lots of this message [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} Dose it mean I am in kind of DOS attack? can someone give me some tips if I need to analyze it more or should I block such IPs? ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA http://p.sf.net/sfu/rim-devcon-copy2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
high_count_ips.xlsx
Description:
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA http://p.sf.net/sfu/rim-devcon-copy2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http_inspect message Mario Remy Almeida (Sep 18)
- Re: http_inspect message Martin Holste (Sep 18)
- Re: http_inspect message Mario Remy Almeida (Sep 18)
- Re: http_inspect message Martin Holste (Sep 18)
- Re: http_inspect message Mario Remy Almeida (Sep 18)
- Re: http_inspect message Martin Holste (Sep 18)
- Re: http_inspect message Jefferson, Shawn (Sep 19)
- Re: http_inspect message Mario Remy Almeida (Sep 18)
- Re: http_inspect message Martin Holste (Sep 18)