Snort mailing list archives
Re: MISC IP Reserved bit set
From: "Frontgate Lab" <mdiwan () wagweb com>
Date: Fri, 12 Oct 2001 11:27:51 -0400
nuts .. i guess the spoofblocking wasnt completely in place i reran the spoofblock script to make sure everything was ok and got this instead: cat /proc/sys/net/ipv4/conf/*/rp_filter 1 1 1 1 i guess i sent that email too soon Still.. i would appreciate anyones input into the questions i asked below. Thank you Madhav Frontgate Lab wrote:
Hiya .. errm.. i think this is bad... i belive it is nimda: Oct 11 11:48:35 fglab snort[4483]: [1:1284:3] WEB-MISC readme.eml attempt [Classification: Attempted User Privilege Gain] [Priority: 8]: {TCP} 151.196.107.166:80 -> 192.168.150.203:35434 nslookup results: nslookup 151.196.107.166 Note: nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing. Server: 207.150.196.199 Address: 207.150.196.199#53 Non-authoritative answer: 166.107.196.151.in-addr.arpa name = snort.sourcefire.com. Authoritative answers can be found from: 166.107.196.151.in-addr.arpa nameserver = ns1.sourcefire.com. 166.107.196.151.in-addr.arpa nameserver = ns2.sourcefire.com. ns1.sourcefire.com internet address = 151.196.107.164 ns2.sourcefire.com internet address = 151.196.107.165 good thing i use a linux workstation :) of course the source address could be spoofed but .. i kinda dont think so as i have this : [root@fglab /root]# cat /proc/sys/net/ipv4/conf/*/rp_filter 1 0 0 0 Could you guys help and tell me me if im way off mark or on the money.. and if this is legitimate.. also .. is my spoof blocking working? I have the following code from Bob Toxen on my workstation which is behind a linux firewall that does masquerading out: #!/bin/sh # Turn on Source Address Verification on all interfaces if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo -n "Enabling IP spoofing blocking..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo "done." else echo "ERROR: CANNOT SET UP IP SPOOF BLOCKING! HELP!" sleep 30 fi [root@fglab /root]# snort -V -*> Snort! <*- Version 1.8.1-current (Build 79) By Martin Roesch (roesch () sourcefire com, www.snort.org) [root@fglab /root]# rpm -q MySQL MySQL-3.23.43-1 [root@fglab /root]# rpm -q MySQL-Max MySQL-Max-3.23.43-1 ps ax | grep snort 4483 ? S 0:28 snort -D -s -c /etc/snort/snort.conf -l /var/log/snor 15562 pts/3 S 0:00 grep snort Thank you. by the way SNORT rules!! Madhav Diwan PS .. how do i figure out why the snort alerts are not getting into my mysql database even when i have the following line in the snort.conf? # database: log to a variety of databases # See the README.database file for more information about configuring output database: log, mysql, user=user dbname=snort host=localhost # output database: alert, postgresql, user=snort dbname=snort # output database: log, unixodbc, user=snort dbname=snort # output database: log, mssql, dbname=snort user=snort password=test # as databases or the network can now be avoided. # and a mysql database. # output database: log, mysql, user=snort dbname=snort host=localhost when i do a process listing in mysql it seems that snort is no longer logged in from localhost after some time elapses. Also has anyone figured out how to get portscans into the database? A lot of Questions.. Sorry guys.. thats the price you pay for having a support list :) ._______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list= _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org
Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Wagner Weber & Williams _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MISC IP Reserved bit set Jean Michel BARBET (Oct 08)
- Re: MISC IP Reserved bit set Erek Adams (Oct 09)
- RE: MISC IP Reserved bit set Ofir Arkin (Oct 15)
- <Possible follow-ups>
- Re: MISC IP Reserved bit set Miller, Toby (Oct 09)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 11)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 14)
- Re: MISC IP Reserved bit set Martin Roesch (Oct 11)
- Re: MISC IP Reserved bit set Matthew Collins (Oct 12)
- Re: MISC IP Reserved bit set Frontgate Lab (Oct 12)
- Re: MISC IP Reserved bit set Matthew Collins (Oct 12)
- Re: downloading rules from snort.org while snort is running on your server. Frontgate Lab (Oct 12)