Snort mailing list archives
Re: PS: Snort Newbie
From: John Sage <jsage () finchhaven com>
Date: Sun, 16 Sep 2001 09:08:34 -0700
Jason Withrow wrote:
Ok, I think that is the problem, I need to define the IP?s as External and Internal.I am guessing (Don?t laugh, I am pretty new at this) that the $EXTERNAL var should be my global internet NIC IP and $INTERNAL should be my intranet 192.168.x.x NIC?Also, how does one make any sense out of the packets? This looks pretty Greek to me.
Depending on how serious you are about learning about TCP/IP, which is what the Internet runs on, there really is no substitute for:
"TCP/IP Illustrated, vol 1, W. Richard Stevens, Addison-Wesley"There are other books, but this is the one I hear recommended most often. I have the entire series, vols 1-3.
To break this down:
[**] IDS552/web-iis_IIS ISAPI Overflow ida [**]
This is the identifier for what sort of a problem snort sees the packet to be. See:
http://www.whitehats.com/info/IDS552The classic Micro$oft Index Server ISAPI extension overflow attempt that we have all become so familiar with, lately ;-)
09/16-02:55:00.611575 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800 len:0x5EA
Date and timestamp; source hardware address -> destination hardware address; type:0x800 indicates that this is an IP datagram
66.31.138.68:1198 -> 66.31.82.9:80 TCP TTL:124 TOS:0x0 ID:51642 IpLen:20 DgmLen:1500 DF
source IP address:source port (1198) -> destination IP address:destination port (80)
Port 80 is the standard well-known port for http/www transactions. Just out of curiosity: BW whois 2.9 by Bill Weinman © 1999-2001 William E. Weinman Request: 66.31.138.68 connecting to whois.arin.net [192.149.252.22:43] ... MediaOne NorthEast (NET-M1-NE-4) 27 Industrial Ave. Chelmsford, MA 01824 US Netname: M1-NE-4 Netblock: 66.31.0.0 - 66.31.255.255 Maintainer: MDONSo this is someone (probably a Window$ box given the low port..) at 66.31.138.68 trying to connect to 66.31.82.9 (which should be you..) on your port 80. Are you running Win 2000 or Win NT with IIS 4.0 or 5.0 enabled?
Can you say "Code Red"? See: http://www.cert.org/advisories/CA-2001-19.html and http://www.cert.org/advisories/CA-2001-13.html > TCP TTL:124 TOS:0x0 ID:51642 IpLen:20 DgmLen:1500 DFAnyway, to continue.. TCP - this is a TCP packet; TTL:124 - Time To Live: how many hops the packet has left before it should be dropped by a well-configured router; TOS:0x0 - Type Of Service: not set; ID:51642 - an integer set by the sending host to uniquely identify the packet; IpLen:20 - the length in bytes of the IP header (normal)
***A**** Seq: 0xF79A6595 Ack: 0xF0C2A391 Win: 0x4470 TcpLen: 20
TPC flags - the ACK flag is set, indicating that this packet is responding to (ACKnowledging..) a packet you've sent (this can be faked..); Seq: 0xF79A6595 - the TCP sequence number identifying which packet *this* is; Ack: 0xF0C2A391 - which sequence number the other end expects to receive *next*; Win: 0x4470 - the sending host is advertising a receive window (packet size) of hex 4470 (decimal 17520) bytes; and, finally, TcpLen: 20 - the TCP length of this datagram is 20 bytes
Fun stuff, huh? - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Newbie Jason Withrow (Sep 15)
- PS: Snort Newbie Jason Withrow (Sep 15)
- RE: Snort Newbie Neal Timm (Sep 16)
- Re: PS: Snort Newbie John Sage (Sep 16)
- PS: Snort Newbie Jason Withrow (Sep 15)