Security Basics mailing list archives
Re: IPS log analysis
From: LGM <lmazzella () gmail com>
Date: Mon, 12 May 2008 10:52:35 -0400
They look like firewall rules to me. Are they running some type of firewall/snort system? On Sun, May 11, 2008 at 7:58 AM, <erika_cispp () yahoo com> wrote:
My department has tasked me with keeping an eye on IPS logs for several customers. So far so good, until I came across this the other day. Has anyone seen this before? The customer says the traffic is definitely not coming from them, but my co-worker says it is not malicious. It is showing up on their app database logs. 9 0474: MS-SQL/SMB: sp_OACreate Program Execution Major 4 10.1.4.x 10.1.4.x Permit 10 0472:MS-SQL/SMB: sp_password Password Change Major 4 0.1.4.x 10.1.4.x Permit 22 0460: MS-SQL/SMB: raiserror Access Major 2 10.1.4.x 10.1.4.x Permit Nothing else is ever permitted; it is always blocked. Also this is the first time I have seen a natted source IP. Typical "normal" log entry 23 3885: HTTP: PHP File Include Exploit Critical 2 80.93.207.x 10.1.4.x Block Any help would be appreciated
-- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- IPS log analysis erika_cispp (May 12)
- Re: IPS log analysis LGM (May 12)
- <Possible follow-ups>
- Re: IPS log analysis erika_cissp (May 12)
- RE: IPS log analysis Sergio Castro (May 12)