Snort mailing list archives
Newbie Questions
From: James Sinnamon <frodo000 () bigpond net au>
Date: Sun, 11 Jul 2004 17:20:49 +1000
Dear snorters, 1. Where to find information regarding records in 'alert' log files? -------------------------------------------------------------------------------------------- I noticed, by chance, an attempted IIS attack against my apache webserver, when I was watching the httpd log files. (I was advised by someone on the debian-firewall mailing list that it looked like an IIS attack.) The snort alert file showed two records which closely match the attack: [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] 07/10-11:32:45.770453 xxx.xxx.xxx.xxx:2291 -> xxx.xxx.xxx.xxx:80 TCP TTL:120 TOS:0x0 ID:25375 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xACEA38FD Ack: 0x79BE56AF Win: 0x4470 TcpLen: 20 [**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**] 07/10-11:32:45.861390 xxx.xxx.xxx.xxx:2291 -> xxx.xxx.xxx.xxx:80 TCP TTL:120 TOS:0x0 ID:25376 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xACEA3EB1 Ack: 0x79BE56AF Win: 0x4470 TcpLen: 20 Where can I find more information about these alerts? Is there a snort ID somewhere in these records, or something else which I can use in a query of http://www.snort.org/snort-db/ 2. 'OVERSIZE CHUNK ENCODING' alert ------------------------------------------------------- I would also like to understand the significance of another other kind of record: [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**] 07/11-16:25:57.693323 144.132.250.188:33903 -> 202.139.232.71:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1290 ***AP*** Seq: 0xEE4A9389 Ack: 0x8D7C522A Win: 0x3F8E TcpLen: 20 ... from my incomplete understanding, it seems to be originating from my own server (144.132.250.188), so I am not sure what to make of it, but if someone could point me towards the documentation I would be greatly obliged. 3. No need for alarm, yet? ---------------------------------------- I have open listening ports for ssh, https, smtp and icmp (ping) as well well as http. I have used all the rules (except a few obviously inapplicable ones) supplied with my Debian (testing) package. When I grep'd the (unzipped) alert.* logs, I only found alerts relating to 80/http (using 'grep " - > " alert* | grep ":25$" for example), so can I assume that no-one out there has so far attempted to attack these other ports with any form of attack already known to snort? 4. Rules not necesary for firewall blocked ports? ------------------------------------------------------------------ Can someone confirm: I only need use rules relating to unblocked ports, so there is no reason to use rules related to, as examples, pop3, imap, squid and postgresql, until I decide to run these services and unblock their listening ports? Does the use of redundant rules (if they are redundant) incur a signficant cost in performance? TIA, James -- James Sinnamon frodo000@bigpond net au +61 412 319669, +61 2 95692123 (aka jaymz-.a.t.-bigpond-net-auStralia) ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie Questions James Sinnamon (Jul 11)