Snort mailing list archives

alert file

From: Zachary Uram <yoda () orion netrek org>
Date: 23 Oct 2002 22:12:44 -0400
Hi,

How can I tell which snort alerts I should be concerned about and which
are harmless? I was running various IDS programs but the trigger
threshold seemed so low I was getting root mailed every 20 secs with
some different sort of "alert" sheesh.

Here is a small sample of my /var/log/snort/alert file which is now over
200Kb !

Do any of these entries seem troubling:

(PS: Can someone explain exactly how I interpret these alerts? Perhaps
if someone could take 1 of the examples below and explain in detail what
it really is saying.)


[**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/31-08:44:22.007315 209.16.250.107:2333 -> 209.166.149.198:80
TCP TTL:113 TOS:0x0 ID:55556 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0xD9C61308  Ack: 0xF34FE080  Win: 0x4470  TcpLen: 20
[Xref => http://www.cert.org/advisories/CA-2001-19.html]

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
05/31-08:44:23.305171 209.16.250.107:2409 -> 209.166.149.198:80
TCP TTL:113 TOS:0x0 ID:55894 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0xDA026642  Ack: 0xF3814B1A  Win: 0x4470  TcpLen: 20


[**] [1:1243:2] WEB-IIS ISAPI .ida attempt [**]
[Classification: Web Application Attack] [Priority: 1]
06/09-07:33:03.245945 202.3.163.94:1043 -> 209.114.157.210:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1504
***AP*** Seq: 0x13301FBD  Ack: 0x81338CD8  Win: 0x7D78  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS552]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]


[**] [1:620:1] SCAN Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/02-01:04:42.380797 66.140.25.157:41323 -> 209.114.157.102:8080
TCP TTL:50 TOS:0x0 ID:4457 IpLen:20 DgmLen:60 DF
******S* Seq: 0xB1259605  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0 

[**] [1:618:1] INFO - Possible Squid Scan [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/02-01:04:42.391610 66.140.25.157:41324 -> 209.114.157.102:3128
TCP TTL:50 TOS:0x0 ID:38290 IpLen:20 DgmLen:60 DF
******S* Seq: 0xB12412FE  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0 

[**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 66.140.25.157
(THRESHOLD 4 connections exceeded in 0 seconds) [**]
06/02-01:04:42.705097 

[**] [100:2:1] spp_portscan: portscan status from 66.140.25.157: 5
connections across 1 hosts: TCP(5), UDP(0) [**]
06/02-01:45:57.095856 

[**] [1:485:2] ICMP Destination Unreachable (Communication
Administratively Prohibited) [**]
[Classification: Misc activity] [Priority: 3]
06/11-16:58:24.731259 64.12.128.150 -> 209.166.149.133
ICMP TTL:240 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED,
PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
209.166.149.133:1619 -> 64.12.163.214:21
TCP TTL:49 TOS:0x0 ID:23628 IpLen:20 DgmLen:60 DF
Seq: 0xE413B5A3  Ack: 0x1030300
** END OF DUMP

[**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/21-04:04:16.206809 216.17.162.57 -> 209.114.157.5
ICMP TTL:25 TOS:0x0 ID:39126 IpLen:20 DgmLen:28
Type:8  Code:0  ID:32305   Seq:0  ECHO
[Xref => http://www.whitehats.com/info/IDS162]


[**] [1:477:1] ICMP Source Quench [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/24-06:36:42.576710 66.37.218.174 -> 209.114.157.24
ICMP TTL:237 TOS:0x0 ID:12946 IpLen:20 DgmLen:56 DF
Type:4  Code:0  SOURCE QUENCH

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
09/28-10:12:25.898514 209.114.157.221 -> 209.114.157.222
ICMP TTL:127 TOS:0x0 ID:59706 IpLen:20 DgmLen:60
Type:8  Code:0  ID:49409   Seq:256  ECHO
[Xref => http://www.whitehats.com/info/IDS154]

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
[Classification: Misc activity] [Priority: 3]
09/28-10:12:26.738515 209.114.157.221 -> 209.114.157.222
ICMP TTL:127 TOS:0x0 ID:59707 IpLen:20 DgmLen:60
Type:8  Code:0  ID:49409   Seq:512  ECHO
[Xref => http://www.whitehats.com/info/IDS154]


[**] [117:1:1] (spp_portscan2) Portscan detected from 216.23.79.73: 1
targets 21 ports in 34 seconds [**]
10/19-16:20:36.260326 216.23.79.73:80 -> 209.114.157.248:1643
TCP TTL:49 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0xD374503C  Ack: 0xBF02541A  Win: 0x16A0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 502137444 5021379 NOP 
TCP Options => WS: 0 

[**] [1:613:1] SCAN myscan [**]
[Classification: Attempted Information Leak] [Priority: 2] 
10/20-03:36:59.790314 209.15.153.130:10101 -> 209.114.157.149:23
TCP TTL:243 TOS:0x0 ID:39291 IpLen:20 DgmLen:40
******S* Seq: 0x64  Ack: 0x0  Win: 0x200  TcpLen: 20
[Xref => arachnids 439]




Zach





-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

alert file Zachary Uram (Oct 23)
- Re: alert file Alberto Gonzalez (Oct 23)
  - Re: alert file Zachary Uram (Oct 23)
    - Re: alert file Alberto Gonzalez (Oct 23)
    - Re: alert file Zachary Uram (Oct 24)
- Snort logging to mysql Edward W. Ray (Oct 23)