Re: Linux and packet loss

[Phil Wood <cpw () lanl gov>]

Jason,

Just a few thoughts on this subject:

In my case I don't want to see these events ever again.  The net result of
catching these was that my sql database machine ran up a 3Gig tab in 24 hours
on the data, the partition was used up, and the 1,000,000 plus alerts in acid
were lost to perpetuity.  (most of those were ISAPI!).  Also, all other
logging ceased until I figured this out.

Of course this is a perfect time to try some other forms of attack,
because the sensors have all been disabled by a lack of anywhere to
put the information.  In fact, what snort did was hang on a read of a
response from the sql daemon, resulting in never getting off the current
packet.  It did this on 3 systems which were all dependent on the sql server.  

Although it's nice to have the ACID interface to what's happening, I need
to come up with a mechanism where capture is not in lock step with recording.

Also, it was really silly of me to capture this stuff.  Why?  Because, the
packets were not getting to a host that was vulnerable to the attack.  All
the code red infected machines (300,000+) that were pumping packets to port 80
on all the hosts on our class B were getting a response from a web proxy that
told them to get their cryptocard out and get ready to do a little ssl dance.

Live and learn.

Later,

On Fri, Aug 03, 2001 at 09:28:24AM +1200, Jason Haar wrote:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .XXX
> attempt"; uricontent:".XXX?"; nocase; dsize:>239; flags:A+;
> reference:arachnids,552; classtype:attempted-admin;
> reference:cve,CAN-2000-0071; sid:1243; rev:1;)

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users