Re: http_inspect message

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Looks a lot like the standard "noise" you get on the Internet.  Install a WAF and all (most) of this will get blocked 
before it hits your website.


-----Original Message-----
From: Mario Remy Almeida [mailto:mario.almeida () gmail com] 
Sent: Sunday, September 18, 2011 4:07 PM
To: Martin Holste
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] http_inspect message

Hi Martin,

Yes, Its a DOS attack on TCP port 80, My sever goes down only if I start Apache which runs on port 80.

Thats the reason I have put the iptable rule. Only port allowed by our ISP to our server is TCP port 80 and 443.

I have attache an excel file about my findings as per the snort alert.
If you are free and can have a look will be a great help.


On Mon, Sep 19, 2011 at 2:34 AM, Martin Holste <mcholste () gmail com> wrote:
> Are you sure it's a DOS?  How do you know?  Are these web requests?
> Web server logs are the place to start.
>
> If you are under a DOS attack, and it's just a TCP (not HTTP) attack, 
> then you are on the right track with the iptables config changes.  I'd 
> also be making similar tweaks on the upstream firewall.  Since you 
> already know you're under attack, then you're not really trying to 
> detect intrusions.  If you're not sure what kind of attack you're 
> under, then the many DOS rules in the signatures may help guide you.
> Otherwise, set aside the IDS for now and focus on containing the 
> incident.
>
> If the incident is not contained, then you need to focus on getting 
> the incoming connections blocked (as you've done).  You may also want 
> to look into null-routing instead of using firewall blocks.  After 
> containment, focus on collecting log evidence and opening a case with 
> your local law enforcement as soon as possible.  Make sure you're 
> getting logs from multiple devices--preferably NetFlow from your
> router(s) and build/teardown/deny messages from your firewall(s).  If 
> you have received any communications from the attackers by way of 
> email, make sure these are saved in their original form for evidence 
> as well.
>
> On Sun, Sep 18, 2011 at 3:15 PM, Mario Remy Almeida 
> <mario.almeida () gmail com> wrote:
> > Hi Martin
> >
> > Actually I company web site is under attack, there are trons of new 
> > connection form different IPs. At present with iptables I have set 25 
> > connection p/s (--state NEW) after this server seems to be normal.
> > I recommended to snort to my man agent to give a try, with the 
> > subscription we download the rule sets too. but now I am lost. I have 
> > enable all the rules from dos and ddos rule files. Let me enable all 
> > the rules from backdoor.rules and watch for alerts.
> >
> > You mean signatures, that is the rule set right?
> >
> > On Sun, Sep 18, 2011 at 10:51 PM, Martin Holste <mcholste () gmail com> wrote:
> > > No, you are not under DOS attack.  This is a very common message 
> > > from the http preprocessor.  Actually, the http preproc will create 
> > > many, many messages like this, almost all of which can be safely 
> > > ignored until you are more familiar with Snort.  I recommend that 
> > > you ignore alerts from all of the preprocessors until *AFTER* you 
> > > have mastered the regular rules.  By this I mean worry first about 
> > > any signatures which have the "trojan-activity" classification or 
> > > are SQL injection signatures.  Also, take this opportunity to add a 
> > > heartbeat signature so you'll know for sure if you're dropping 
> > > packets (you can safely skip this step if you are monitoring a link with < 100 Mbit/sec).
> > > Once you've your normal ruleset tuned and have responded to the 
> > > malware  infections that you probably just found now that you've got 
> > > something other than AV keeping an eye on things, you can proceed to 
> > > check out the alerts generated by the preprocessors.
> > >
> > > On Sun, Sep 18, 2011 at 12:10 PM, Mario Remy Almeida 
> > > <mario.almeida () gmail com> wrote:
> > > > Dear All,
> > > >
> > > > I am new to snort.
> > > > I get lots of this message
> > > >
> > > > [119:14:1] (http_inspect) NON-RFC DEFINED CHAR [**] [Classification:
> > > > Potentially Bad Traffic] [Priority: 2] {TCP}
> > > >
> > > > Dose it mean I am in kind of DOS attack? can someone give me some 
> > > > tips if I need to analyze it more or should I block such IPs?
> > > >
> > > > -------------------------------------------------------------------
> > > > ----------- BlackBerry&reg; DevCon Americas, Oct. 18-20, San 
> > > > Francisco, CA
> > > > http://p.sf.net/sfu/rim-devcon-copy2
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!