Snort mailing list archives

RE: Where do I go from here

From: "Briggs, Bruce" <Bruce.Briggs () suny edu>
Date: Tue, 15 Nov 2005 16:00:45 -0500

So you are monitoring what is outside you door in a crime-ridden
neighborhood (the Internet).
This does not tell you what is coming through your door (your firewall).
 
Personally, I care what makes it into my network.  I don't care all that
much about what does not make it into my network.
So for me, I want an IDS inside my network.  For me, an IPS is a better
candidate to be outside your firewall than an IDS.
 
Bruce

  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Timothy A.
Holmes
Sent: Tuesday, November 15, 2005 2:16 PM
To: snort
Subject: [Snort-users] Where do I go from here



Hi Folks:

After some fits and starts, I believe that I have a functional IDS Box
watching the front door now, and I took out the back door (Wireless ap)
and repaired the hole in the wall with bricks and mortar

 

So, I guess the next question is what is the next step?



To summarize, I have a SNORT box up and sniffing on the inbound line
between the Cable Modem and the Firewall.  The management port is inside
the firewall and has an IP on it while the sniffing port is outside the
firewall and does not have one.  

 

I am logging to a mysql database, and running base for reporting.

 

As of the last check, I have received about 4500 alerts today, here is
the breakdown from base on them

 

Displaying alerts 1-7 of 7 total







   

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_a

 Signature >

<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=sig_d

 


 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class
_a>  Classification >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=class
_d>  

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur
_a>  Total # >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=occur
_d>  

 Sensor # 

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr
_a>  Source Address >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=saddr
_d>  

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr
_a>  Dest. Address >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=daddr
_d>  

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first
_a>  First >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=first
_d>  

 <
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_
a>  Last >
<https://192.168.0.28/base/base_stat_alerts.php?caller=&sort_order=last_
d>  

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=3> ] (portscan) TCP
Portsweep 

unclassified 

55
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=1&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=1&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=1>  

31
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=1>  

2005-11-15 03:06:05 

2005-11-15 13:12:23 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=27> ] (portscan) Open
Port 

unclassified 

3679
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=2&sig_type=1&submit=Query+DB&num_result_rows=-1> (33%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=2&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=2>  

302
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=2>  

2005-11-15 03:06:08 

2005-11-15 13:12:28 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=4> ] (http_inspect)
BARE BYTE UNICODE ENCODING 

unclassified 

444
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=3&sig_type=1&submit=Query+DB&num_result_rows=-1> (4%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=3&sig_type=1>  

2
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=3>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=3>  

2005-11-15 00:37:16 

2005-11-15 14:12:38 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=2> ] (http_inspect)
DOUBLE DECODING ATTACK 

unclassified 

21
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=4&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=4&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=4>  

9
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=4>  

2005-11-15 07:16:16 

2005-11-15 12:38:53 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=15> ] (http_inspect)
OVERSIZE REQUEST-URI DIRECTORY 

unclassified 

6
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=6&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=6&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=6>  

3
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=6>  

2005-11-15 10:43:42 

2005-11-15 11:46:43 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=1> ] (portscan) TCP
Portscan 

unclassified 

3
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=9&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=9&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=9>  

3
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=9>  

2005-11-15 10:36:26 

2005-11-15 10:36:42 

      

[snort <http://www.snort.org/pub-bin/sigs.cgi?sid=16> ] (http_inspect)
OVERSIZE CHUNK ENCODING 

unclassified 

3
<https://192.168.0.28/base/base_qry_main.php?new=1&sig%5B0%5D=%3D&sig%5B
1%5D=13&sig_type=1&submit=Query+DB&num_result_rows=-1> (0%) 

1
<https://192.168.0.28/base/base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5
D=13&sig_type=1>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=1&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=13>  

1
<https://192.168.0.28/base/base_stat_uaddr.php?addr_type=2&sig_type=1&si
g%5B0%5D=%3D&sig%5B1%5D=13>  

2005-11-15 11:45:36 

2005-11-15 11:46:40 

 

 

 

I guess I need to know what to do next and how to begin utilizing this
data to better protect my network

 

Anyone who can help, or point me to the proper resources would be
greatly appreciated

 

TIM



 

Timothy A. Holmes

IT Manager / Network Admin / Web Master / Computer Teacher

 

Medina Christian Academy

A Higher Standard...

 

Jeremiah 33:3

Jeremiah 29:11

Esther 4:14

Current thread:

Where do I go from here Timothy A. Holmes (Nov 15)
- <Possible follow-ups>
- RE: Where do I go from here Briggs, Bruce (Nov 15)
  - RE: Where do I go from here Lee Clemens (Nov 15)
- RE: Where do I go from here Briggs, Bruce (Nov 15)
- Re: Where do I go from here Richard Bejtlich (Nov 15)