Snort mailing list archives

RE: Snort within Astaro Secure Linux

From: "doug" <doug () ravennasprings com>
Date: Wed, 2 Mar 2005 14:26:29 -0800


It appears that my firewall has been compromised.  I wanted to verify
this with folks more familiar with snort.

The logs are at the bottom of this message.
It appears that an attack was initiated from 208.254.45.206 and
succeeded in compromising my firewall within seven minutes, then
continued the attack from the firewall itself.

Can someone help me out with this?
This would be a serious compromised of a well respected firewall.
I'm very much interested in getting to the bottom of this.

Regards,

~Doug

Local logfile query     Query term:     DOS             Time span:
2005-03-01 -> 2005-03-02
Intrusion Protection System
2005:03:01-12:32:10 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:13 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:19 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:31 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:55 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:33:43 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:00 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:01 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:02 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:06 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:12 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:26 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:53 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Snort within Astaro Secure Linux doug (Mar 03)
- Re: Snort within Astaro Secure Linux Will Metcalf (Mar 04)
- <Possible follow-ups>
- RE: Snort within Astaro Secure Linux doug (Mar 03)