Snort mailing list archives
Analyzing Snort alert
From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Tue, 10 Jul 2012 10:49:11 +0530
Hi Snort users, I am posting a small even which happened yesterday and I hope I am not breaking any rules of this mailing list by sending this email, If I do let me know with that said here we go. Yesterday I was going about doing my things and suddenly noticed that there were three alerts on my IDS with the signature shown below. <http://2.bp.blogspot.com/-G3B7gcivFGw/T_u0YBPzyQI/AAAAAAAAAUs/mgCOYQQFFy0/s1600/Selection_002.jpeg> I tried looking at the payload it was really huge like shown below. <http://4.bp.blogspot.com/-epVGhV9qj64/T_u1Je0FjXI/AAAAAAAAAU0/osnw9HzpZyA/s1600/Selection_003.jpeg> I tried looking up the IP http://whois.domaintools.com/91.229.143.59however I did not get any information useful to me. I wanted to clean up the payload shown above to see just the URL, so I used the command as shown *grep http tmp.txt | cut -d" " -f1 | grep \' | cut -d\' -f1* <http://4.bp.blogspot.com/-tHMmp_iJ_T4/T_u2XxfHMqI/AAAAAAAAAU8/bSMN6Mm0xak/s1600/Selection_004.jpeg> Well fair enough except the first one all the others does seem to be malicious, so I set out seeking my Web Proxy logs to see how did I land up on the IP. One look at the proxy logs I almost felt like a amnesia patient getting back his\her memories :-D, because yesterday I was using urlquery.net for some experiment. <http://3.bp.blogspot.com/-KbgemiTCFIE/T_u3KEmpmuI/AAAAAAAAAVE/nKfXsXCip40/s1600/Selection_005.jpeg> *Bottom line:* Long story short it really pays to have logging enabled to determine if an incident is a false positive or not :-) Note: I though of just sending a link of the blog to the mailing list, however I did not as I do not want to be pointed for dragging people to my blog. -- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Analyzing Snort alert Balasubramaniam Natarajan (Jul 09)