Security Basics mailing list archives

Re: IPS log analysis

From: LGM <lmazzella () gmail com>
Date: Mon, 12 May 2008 10:52:35 -0400

They look like firewall rules to me. Are they running some type of
firewall/snort system?



On Sun, May 11, 2008 at 7:58 AM,  <erika_cispp () yahoo com> wrote:

My department has tasked me with keeping an eye on IPS logs for several customers. So far so good, until I came 
across this the other day. Has  anyone seen this before? The customer says the traffic is definitely not coming from 
them, but my co-worker says it is not malicious. It is  showing up on their app database logs.


 9 0474: MS-SQL/SMB: sp_OACreate Program Execution Major 4   10.1.4.x   10.1.4.x  Permit



 10 0472:MS-SQL/SMB: sp_password Password Change  Major 4   0.1.4.x   10.1.4.x  Permit



 22 0460: MS-SQL/SMB: raiserror Access  Major  2    10.1.4.x  10.1.4.x  Permit


 Nothing else is ever permitted; it is always blocked. Also this is the first time I have seen a natted source IP.



 Typical "normal" log entry


 23  3885: HTTP: PHP File Include Exploit Critical  2  80.93.207.x 10.1.4.x  Block


 Any help would be appreciated




-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Current thread:

IPS log analysis erika_cispp (May 12)
- Re: IPS log analysis LGM (May 12)
- <Possible follow-ups>
- Re: IPS log analysis erika_cissp (May 12)
  - RE: IPS log analysis Sergio Castro (May 12)