Re: MISC IP Reserved bit set

["Frontgate Lab" <mdiwan () wagweb com>]

nuts .. i guess the spoofblocking wasnt completely in place 

i reran the spoofblock script to make sure everything was ok and got
this instead:

 cat /proc/sys/net/ipv4/conf/*/rp_filter
1
1
1
1

i guess i sent that email too soon

Still.. i would appreciate anyones input into the questions i asked
below.

Thank you

Madhav




Frontgate Lab wrote:
> Hiya .. errm.. i think this is bad... i belive it is nimda:
>
> Oct 11 11:48:35 fglab snort[4483]: [1:1284:3] WEB-MISC readme.eml
> attempt [Classification: Attempted User Privilege Gain] [Priority: 8]:
> {TCP} 151.196.107.166:80 -> 192.168.150.203:35434
>
> nslookup results:
>
>  nslookup 151.196.107.166
> Note:  nslookup is deprecated and may be removed from future releases.
> Consider using the `dig' or `host' programs instead.  Run nslookup with
> the `-sil[ent]' option to prevent this message from appearing.
> Server:         207.150.196.199
> Address:        207.150.196.199#53
>
> Non-authoritative answer:
> 166.107.196.151.in-addr.arpa    name = snort.sourcefire.com.
>
> Authoritative answers can be found from:
> 166.107.196.151.in-addr.arpa    nameserver = ns1.sourcefire.com.
> 166.107.196.151.in-addr.arpa    nameserver = ns2.sourcefire.com.
> ns1.sourcefire.com      internet address = 151.196.107.164
> ns2.sourcefire.com      internet address = 151.196.107.165
>
> good thing i use a linux workstation :)
>
> of course the source address could be spoofed but ..
> i kinda dont think so as i have this :
>
> [root@fglab /root]# cat /proc/sys/net/ipv4/conf/*/rp_filter
> 1
> 0
> 0
> 0
>
> Could you guys help and tell me me if im way off mark or on the money..
> and if this is legitimate.. also .. is my spoof blocking working?
>
> I have the following code from Bob Toxen on my workstation which is
> behind a linux firewall that does masquerading out:
>
> #!/bin/sh
> # Turn on Source Address Verification on all interfaces
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
>         echo -n "Enabling IP spoofing blocking..."
>         for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>                 echo 1 > $f
>         done
>         echo "done."
> else
>         echo "ERROR: CANNOT SET UP IP SPOOF BLOCKING!  HELP!"
>         sleep 30
> fi
>
> [root@fglab /root]# snort -V
>
> -*> Snort! <*-
> Version 1.8.1-current (Build 79)
> By Martin Roesch (roesch () sourcefire com, www.snort.org)
>
> [root@fglab /root]# rpm -q MySQL
> MySQL-3.23.43-1
>
> [root@fglab /root]# rpm -q MySQL-Max
> MySQL-Max-3.23.43-1
>
>
> ps ax | grep snort
>  4483 ?        S      0:28 snort -D -s -c /etc/snort/snort.conf -l
> /var/log/snor
> 15562 pts/3    S      0:00 grep snort
>
> Thank you.
>
>  by the way SNORT rules!!
>
>  Madhav Diwan
>
> PS .. how do i figure out why the snort alerts are not getting into my
> mysql database even when i have the following line in the snort.conf?
>
> # database: log to a variety of databases
> # See the README.database file for more information about configuring
>  output database: log, mysql, user=user dbname=snort host=localhost
> # output database: alert, postgresql, user=snort dbname=snort
> # output database: log, unixodbc, user=snort dbname=snort
> # output database: log, mssql, dbname=snort user=snort password=test
> # as databases or the network can now be avoided.
> # and a mysql database.
> #   output database: log, mysql, user=snort dbname=snort host=localhost
>
> when i do a process listing in mysql it seems that snort  is no longer
> logged in from localhost after some time elapses.
>
> Also has anyone figured out how to get portscans into the database?
>
> A lot of Questions.. Sorry guys.. thats the price you pay for having a
> support list :)
>
> .
>
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list
> >
> > --
> > Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> > roesch () sourcefire com - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org


Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If 
the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users