Re: My Webservers Are Showing Up In My Alerts

["Vadim Pushkin" <wiskbroom () hotmail com>]

I already did that, in fact I have this instead:

alert tcp $EXTERNAL_NET any -> !$HTTP_SERVERS 8080 (msg:"SCAN Proxy \(8080\) 
attempt"; flags:S; classtype:attempted-recon; sid:620; rev:2;)

The problem is that these are ALSO my proxy servers running
Squid. As such, they are the spring broard into "other" peoples
webservers. Because of this I get alot of WEB-cgi calendar,
WEB-IIS scripts, etc to these machines. Should I add a "!"
into ALL of my rules? I hope not :-)

Thanks again,

Vad

> From: matt <mkettler () evi-inc com>
> To: "Vadim Pushkin" <wiskbroom () hotmail com>, 
> snort-users () lists sourceforge net
> Subject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts
> Date: Thu, 13 Jun 2002 18:38:18 -0400
>
> Ahh you're probably getting "SCAN Proxy Attempt" alerts, since port
> 8080  (along with 1080) often used for socks proxy servers.
>
> Snort's default ruleset assumes any attempt to connect to port 8080 is
> someone scanning for proxy servers to abuse.
>
> go into scan.rules and comment out this rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy
> attempt";flags:S; classtype:attempted-recon; sid:620; rev:1;)
>
> and that should quiet your alerts.
>
> At 10:26 PM 6/13/2002 +0000, Vadim Pushkin wrote:
> > Hi and thank you,
> >
> > They are merely access to my port 8080, not breakins at
> > all. Perhaps they are percived this way due to my port
> > change? I do not know. My servers listen on port 8080
> > and the users are legit, mostly internal.
> >
> >
> > Vadim
> >
> >
> > > From: Matt Kettler <mkettler () evi-inc com>
> > > To: "Vadim Pushkin" <wiskbroom () hotmail com>,
> > > snort-users () lists sourceforge net
> > > Subject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts
> > > Date: Thu, 13 Jun 2002 17:34:34 -0400
> > >
> > > Well, that's not surprising.. A lot of the alerts you see are likely to
> > > things like codered, IIS cmd.exe and other such things, directory
> > > traversals, etc.
> > >
> > > These usually represent actual attack attempt on your webserver. It is
> > > usually being done by a virus or an automated tool. It's not uncommon for 
> > > a
> > > webserver to see dozens of these a day. The net is a brutal place, and 
> > > it's
> > > not uncommon to see a network block have exploit attempts hundreds of 
> > > times
> > > per day. Particularly if snort is watching unfiltered traffic in front of
> > > your firewall.
> > >
> > > My best recommendation is that if the alerts bother you, and you KNOW 
> > > that
> > > your webserver cannot possibly be vulnerable, comment out the rule in the
> > > .rules file. (for example, if all your webservers are BSD or Linux Apache
> > > webservers it's pretty safe to comment out the cmd.exe rule).
> > >
> > > It is important to note however that they aren't false alerts, they are
> > > usually genuine attempts to penetrate your webserver to run malicious 
> > > code.
> > > Snort takes the stand of having alerts for attempts, even if they were 
> > > not
> > > successful, because most events that do result in a real compromise are
> > > "noisy" in that they have a lot of failed attempts preceding the one that
> > > succeeded.
> > >
> > > At 07:18 PM 6/13/2002 +0000, Vadim Pushkin wrote:
> > > > Greetings Fellowes;
> > > >
> > > > My snort.conf has the following entries:
> > > >
> > > > var HTTP_SERVERS
> > > > [192.168.11.41/32,192.168.11.42/32,192.168.11.43/32,192.168.11.44/32]
> > > >
> > > > # Above is all on one line
> > > >
> > > > var HTTP_SERVERS_PORT 8080
> > > >
> > > > Several of my rules have port 80 replaced with $HTTP_SERVERS_PORT.
> > > >
> > > > I am getting ALOT of alerts for these as either source or dest.
> > > > How can I prevent this?
> > > >
> > > > Thank you kindly,
> > > >
> > > > -vadim
> > > > Vadim (Ukranian Stallion) Pushkin
> > > >
> > > >
> > > > _________________________________________________________________
> > > > Chat with friends online, try MSN Messenger: http://messenger.msn.com
> > > >
> > > >
> > > > _______________________________________________________________
> > > >
> > > > Don't miss the 2002 Sprint PCS Application Developer's Conference
> > > > August 25-28 in Las Vegas -
> > > > http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
> > > >
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> > -vadim
> > Vadim (Ukranian Stallion) Pushkin
> >
> >
> > _________________________________________________________________
> > Send and receive Hotmail on your mobile device: http://mobile.msn.com




-vadim
Vadim (Ukranian Stallion) Pushkin


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users