Re: PS: Snort Newbie

[John Sage <jsage () finchhaven com>]

Jason Withrow wrote:

> Ok, I think that is the problem, I need to define the IP?s as External 
> and Internal.
>
> I am guessing (Don?t laugh, I am pretty new at this) that the $EXTERNAL 
> var should be my global internet NIC IP and $INTERNAL should be my 
> intranet 192.168.x.x NIC?
>
> Also, how does one make any sense out of the packets? This looks pretty 
> Greek to me.


Depending on how serious you are about learning about TCP/IP, which is 
what the Internet runs on, there really is no substitute for:

"TCP/IP Illustrated, vol 1, W. Richard Stevens, Addison-Wesley"

There are other books, but this is the one I hear recommended most 
often. I have the entire series, vols 1-3.


To break this down:

> [**] IDS552/web-iis_IIS ISAPI Overflow ida [**]


This is the identifier for what sort of a problem snort sees the packet 
to be. See:

http://www.whitehats.com/info/IDS552

The classic Micro$oft Index Server ISAPI extension overflow attempt that 
we have all become so familiar with, lately ;-)

> 09/16-02:55:00.611575 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800 
> len:0x5EA


Date and timestamp; source hardware address -> destination hardware 
address; type:0x800 indicates that this is an IP datagram

> 66.31.138.68:1198 -> 66.31.82.9:80 TCP TTL:124 TOS:0x0 ID:51642 IpLen:20 
> DgmLen:1500 DF


source IP address:source port (1198) -> destination IP 
address:destination port (80)

Port 80 is the standard well-known port for http/www transactions.

Just out of curiosity:

BW whois 2.9 by Bill Weinman
© 1999-2001 William E. Weinman

Request: 66.31.138.68
connecting to whois.arin.net [192.149.252.22:43] ...
MediaOne NorthEast (NET-M1-NE-4)
   27 Industrial Ave.
   Chelmsford, MA 01824
   US

   Netname: M1-NE-4
   Netblock: 66.31.0.0 - 66.31.255.255
Maintainer: MDON

So this is someone (probably a Window$ box given the low port..) at 
66.31.138.68 trying to connect to 66.31.82.9 (which should be you..) on 
your port 80. Are you running Win 2000 or Win NT with IIS 4.0 or 5.0 
enabled?

Can you say "Code Red"?

See:

http://www.cert.org/advisories/CA-2001-19.html

and

http://www.cert.org/advisories/CA-2001-13.html


> TCP TTL:124 TOS:0x0 ID:51642 IpLen:20 DgmLen:1500 DF

Anyway, to continue.. TCP - this is a TCP packet; TTL:124 - Time To 
Live: how many hops the packet has left before it should be dropped by a 
well-configured router; TOS:0x0 - Type Of Service: not set; ID:51642 - 
an integer set by the sending host to uniquely identify the packet; 
IpLen:20 - the length in bytes of the IP header (normal)

> ***A**** Seq: 0xF79A6595  Ack: 0xF0C2A391  Win: 0x4470  TcpLen: 20


TPC flags - the ACK flag is set, indicating that this packet is 
responding to (ACKnowledging..) a packet you've sent (this can be 
faked..); Seq: 0xF79A6595 - the TCP sequence number identifying which 
packet *this* is; Ack: 0xF0C2A391 - which sequence number the other end 
expects to receive *next*; Win: 0x4470 - the sending host is advertising 
a receive window (packet size) of hex 4470 (decimal 17520) bytes; and, 
finally, TcpLen: 20 - the TCP length of this datagram is 20 bytes


Fun stuff, huh?

- John

--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage () finchhaven com
"The web is so, like, five minutes ago..."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users