Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Same alerts generation

From: hlima () pbh gov br
Date: Wed, 22 Oct 2003 12:06:14 +0300 (BRT)

    Hello all. I've been using SNORT 2.0.0 for a couple of weeks and
Oinkmaster
to update its rules. The reason why I'm writing this email is that I have
been getting the following same 8 alerts:

1 - 09/26-11:18:03.541838  [**] [1:483:2] ICMP PING CyberKit 2.2 Windows
[**] [Classification: Misc activity] [Priority: 3] {ICMP} 200.183.85.231
-> 200.186.217.147

2 -10/03-11:06:20.603344  [**] [1:1841:2] WEB-CLIENT javascript URL host
spoofing a
ttempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1]
{TCP}
200.162.176.13:80 -> 200.186.217.173:35854

3 - 10/03-11:21:23.020325  [**] [1:615:3] SCAN SOCKS Proxy attempt [**]
[Classificat
ion: Attempted Information Leak] [Priority: 2] {TCP} 211.216.81.175:1044
-> 200.
186.217.147:1080

4 - 10/08-18:41:04.295973  [**] [1:2003:2] MS-SQL Worm propagation attempt
[**] [Cla
ssification: Misc Attack] [Priority: 2] {UDP} 66.248.98.112:3020 ->
200.186.217.
146:1434

5 - 10/08-21:23:02.344940  [**] [1:620:3] SCAN Proxy (8080) attempt [**]
[Classifica
tion: Attempted Information Leak] [Priority: 2] {TCP} 68.170.234.106:0 ->
200.18
6.217.147:8080

7 - 10/08-21:48:42.671706  [**] [1:618:4] SCAN Squid Proxy attempt [**]
[Classificat
ion: Attempted Information Leak] [Priority: 2] {TCP} 68.170.234.106:0 ->
200.186
.217.147:3128

8 -
10/20-07:12:54.320578  [**] [1:485:2] ICMP Destination Unreachable
(Communicatio
n Administratively Prohibited)
[**] [Classification: Misc activity] [Priority: 3] {ICMP} 200.186.217.129
-> 200
.186.217.173

My network is big and I THINK I could be getting more alerts.I have
configured the snort.conf file informing my HOMEnet, the EXTERNAL_NET,
my DNS and SMTP severs. Have not edited anything else on this file.
On this same file there are some rules files that are commented out like
backdoor.rules
porn.rules
policy.rules
chat.rules
etc
They were automatically commented out when I installed SNORT 2.0.0
Still the majority of rules file are enabled.

  Please someone give some suggestion regarding enabling those rules above
or whether I should inform something else on the snort.conf file.
  Should I still install the newest SNORT version even having the
Oinkmaster software updating my rules?

Thanks in Advance

Henrique de Lima



-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: