Snort mailing list archives
Re: Please help!!
From: Thiago Mello <tmello00 () yahoo com br>
Date: 28 Oct 2003 14:03:22 -0200
Hi Henrique, I think that before you install a IDS you have to know and decide all servers/routers/hosts that you want to the IDS "protect", so my opnion is to you draw a schema of your network, with the apropriate services and SO, and than apply the Snort rules, with that Snort will be able to use the rules that is for your network. But you also might want to inspect all the network traffic that will give you more alerts do analyze. About the updating automatic of the rules is your option. Regards, Thiago Mello ps: next time you post to this list, you dont have to show the real IP address, you can fake the Ips in the alert. On Tue, 2003-10-28 at 06:05, hlima () pbh gov br wrote:
Hello everyone. I know I've sent this message before. I'd appreciate an answer to my email a lot ! I've been using SNORT 2.0.0 for a couple of weeks and Oinkmaster to update its rules. The reason why I'm writing this email is that I have been getting the following same 8 alerts: 1 - 09/26-11:18:03.541838 [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] {ICMP} 200.183.85.231 -> 200.186.217.147 2 -10/03-11:06:20.603344 [**] [1:1841:2] WEB-CLIENT javascript URL host spoofing a ttempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 200.162.176.13:80 -> 200.186.217.173:35854 3 - 10/03-11:21:23.020325 [**] [1:615:3] SCAN SOCKS Proxy attempt [**] [Classificat ion: Attempted Information Leak] [Priority: 2] {TCP} 211.216.81.175:1044 -> 200. 186.217.147:1080 4 - 10/08-18:41:04.295973 [**] [1:2003:2] MS-SQL Worm propagation attempt [**] [Cla ssification: Misc Attack] [Priority: 2] {UDP} 66.248.98.112:3020 -> 200.186.217. 146:1434 5 - 10/08-21:23:02.344940 [**] [1:620:3] SCAN Proxy (8080) attempt [**] [Classifica tion: Attempted Information Leak] [Priority: 2] {TCP} 68.170.234.106:0 -> 200.18 6.217.147:8080 7 - 10/08-21:48:42.671706 [**] [1:618:4] SCAN Squid Proxy attempt [**] [Classificat ion: Attempted Information Leak] [Priority: 2] {TCP} 68.170.234.106:0 -> 200.186 .217.147:3128 8 - 10/20-07:12:54.320578 [**] [1:485:2] ICMP Destination Unreachable (Communicatio n Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] {ICMP} 200.186.217.129 -> 200 .186.217.173 My network is big and I THINK I could be getting more alerts.I have configured the snort.conf file informing my HOMEnet, the EXTERNAL_NET, my DNS and SMTP severs. Have not edited anything else on this file. On this same file there are some rules files that are commented out like backdoor.rules porn.rules policy.rules chat.rules etc They were automatically commented out when I installed SNORT 2.0.0 Still the majority of rules file are enabled. Please someone give some suggestion regarding enabling those rules above or whether I should inform something else on the snort.conf file. Should I still install the newest SNORT version even having the Oinkmaster software updating my rules? Thanks in Advance Henrique de Lima
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Please help!! hlima (Oct 28)
- Re: Please help!! Thiago Mello (Oct 28)