Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Analyzing Snort alert

From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Tue, 10 Jul 2012 10:49:11 +0530
Hi Snort users,

I am posting a small even which happened yesterday and I hope I am not
breaking any rules of this mailing list by sending this email, If I do let
me know with that said here we go.

Yesterday I was going about doing my things and suddenly noticed that there
were three alerts on my IDS with the signature shown below.

<http://2.bp.blogspot.com/-G3B7gcivFGw/T_u0YBPzyQI/AAAAAAAAAUs/mgCOYQQFFy0/s1600/Selection_002.jpeg>

I tried looking at the payload it was really huge like shown below.

<http://4.bp.blogspot.com/-epVGhV9qj64/T_u1Je0FjXI/AAAAAAAAAU0/osnw9HzpZyA/s1600/Selection_003.jpeg>

I tried looking up the IP
http://whois.domaintools.com/91.229.143.59however I did not get any
information useful to me.

I wanted to clean up the payload shown above to see just the URL, so I used
the command as shown *grep http tmp.txt | cut -d" " -f1 | grep \' | cut
-d\' -f1*

<http://4.bp.blogspot.com/-tHMmp_iJ_T4/T_u2XxfHMqI/AAAAAAAAAU8/bSMN6Mm0xak/s1600/Selection_004.jpeg>

Well fair enough except the first one all the others does seem to be
malicious, so I set out seeking my Web Proxy logs to see how did I land up
on the IP.

One look at the proxy logs I almost felt like a amnesia patient getting
back his\her memories :-D, because yesterday I was using urlquery.net for
some experiment.

<http://3.bp.blogspot.com/-KbgemiTCFIE/T_u3KEmpmuI/AAAAAAAAAVE/nKfXsXCip40/s1600/Selection_005.jpeg>

*Bottom line:* Long story short it really pays to have logging enabled to
determine if an incident is a false positive or not :-)

Note: I though of just sending a link of the blog to the mailing list,
however I did not as I do not want to be pointed for dragging people to my
blog.

-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: