Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

IPS log analysis

From: erika_cispp () yahoo com
Date: 11 May 2008 11:58:43 -0000
My department has tasked me with keeping an eye on IPS logs for several customers. So far so good, until I came across 
this the other day. Has  anyone seen this before? The customer says the traffic is definitely not coming from them, but 
my co-worker says it is not malicious. It is  showing up on their app database logs.

9 0474: MS-SQL/SMB: sp_OACreate Program Execution Major 4   10.1.4.x   10.1.4.x  Permit
   
10 0472:MS-SQL/SMB: sp_password Password Change  Major 4   0.1.4.x   10.1.4.x  Permit
   
22 0460: MS-SQL/SMB: raiserror Access  Major  2    10.1.4.x  10.1.4.x  Permit

Nothing else is ever permitted; it is always blocked. Also this is the first time I have seen a natted source IP.
   
Typical "normal" log entry

23  3885: HTTP: PHP File Include Exploit Critical  2  80.93.207.x 10.1.4.x  Block

Any help would be appreciated
Previous By Date Next
Previous By Thread Next

Current thread: