Snort mailing list archives
Re: alert file
From: Alberto Gonzalez <ag-snort () cerebro violating us>
Date: Wed, 23 Oct 2002 22:52:32 -0700
Zachary Uram wrote:
Actually, you should be concerned on _ALL_ alerts (for the first few days/weeks) until you establish whats false (if any?) or whats truly alerts/attacks. When I first started, I would research what snort gave me alerts on, learn about the attack, and to see if I was vulnerable.Hi, How can I tell which snort alerts I should be concerned about and which are harmless? I was running various IDS programs but the trigger threshold seemed so low I was getting root mailed every 20 secs with some different sort of "alert" sheesh.
This has helped me greatly in my journey.
These really get annoying(poor access_log), I personally (and mine is unix based) don't care about any IIS attacks aimed at my network. I could careless what IIS junk they throw at me. You should customize your RULESET to pertain to your network(running services, users, etc..) No need to run IIS rules if your using[**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**] [Classification: Web Application Attack] [Priority: 1] 05/31-08:44:22.007315 209.16.250.107:2333 -> 209.166.149.198:80 TCP TTL:113 TOS:0x0 ID:55556 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0xD9C61308 Ack: 0xF34FE080 Win: 0x4470 TcpLen: 20 [Xref => http://www.cert.org/advisories/CA-2001-19.html] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 05/31-08:44:23.305171 209.16.250.107:2409 -> 209.166.149.198:80 TCP TTL:113 TOS:0x0 ID:55894 IpLen:20 DgmLen:120 DF ***AP*** Seq: 0xDA026642 Ack: 0xF3814B1A Win: 0x4470 TcpLen: 20
Apache(same goes for other stuff as well).
I've seen Squid scan attempts when nmap[1] is ran at your network. Just someone doing some information gathering on your subnet. I could be wrong, just trying to give you[**] [1:620:1] SCAN Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 06/02-01:04:42.380797 66.140.25.157:41323 -> 209.114.157.102:8080 TCP TTL:50 TOS:0x0 ID:4457 IpLen:20 DgmLen:60 DF ******S* Seq: 0xB1259605 Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0[**] [1:618:1] INFO - Possible Squid Scan [**] [Classification: Attempted Information Leak] [Priority: 2] 06/02-01:04:42.391610 66.140.25.157:41324 -> 209.114.157.102:3128 TCP TTL:50 TOS:0x0 ID:38290 IpLen:20 DgmLen:60 DF ******S* Seq: 0xB12412FE Ack: 0x0 Win: 0x16D0 TcpLen: 40TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0
a general idea.
[**] [100:2:1] spp_portscan: portscan status from 66.140.25.157: 5 connections across 1 hosts: TCP(5), UDP(0) [**]06/02-01:45:57.095856
Just spp_portscan letting you know whats up :-)
[**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] 06/21-04:04:16.206809 216.17.162.57 -> 209.114.157.5 ICMP TTL:25 TOS:0x0 ID:39126 IpLen:20 DgmLen:28 Type:8 Code:0 ID:32305 Seq:0 ECHO [Xref => http://www.whitehats.com/info/IDS162]
Pretty self explanatory.
Can't say I've seen this before, then again, I have everything pertaining to windows[**] [1:477:1] ICMP Source Quench [**] [Classification: Potentially Bad Traffic] [Priority: 2] 08/24-06:36:42.576710 66.37.218.174 -> 209.114.157.24 ICMP TTL:237 TOS:0x0 ID:12946 IpLen:20 DgmLen:56 DF Type:4 Code:0 SOURCE QUENCH [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 09/28-10:12:25.898514 209.114.157.221 -> 209.114.157.222 ICMP TTL:127 TOS:0x0 ID:59706 IpLen:20 DgmLen:60 Type:8 Code:0 ID:49409 Seq:256 ECHO [Xref => http://www.whitehats.com/info/IDS154]
turned off.. no need for 'noise'. Hope it Helps - Albert 1. nmap http://www.insecure.org/nmap -- The secret to success is to start from scratch and keep on scratching. -------------------------------------------------------This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert file Zachary Uram (Oct 23)
- Re: alert file Alberto Gonzalez (Oct 23)
- Re: alert file Zachary Uram (Oct 23)
- Re: alert file Alberto Gonzalez (Oct 23)
- Re: alert file Zachary Uram (Oct 24)
- Re: alert file Zachary Uram (Oct 23)
- Re: alert file Alberto Gonzalez (Oct 23)
- Snort logging to mysql Edward W. Ray (Oct 23)