OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Wade Dixon (wmd2001yahoo.com)
Date: Thu Feb 28 2002 - 14:11:57 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I've only had an IDS running on my little network
    since the beginning of the year, and in that time I've
    seen 3 or 4 attacks which snort sees as coming from
    the outside firewall IP. The latest was today, here
    are the logs:

    [**] [1:990:2] WEB-IIS _vti_inf access [**]
    [Classification: access to a potentually vulnerable
    web application] [Priority: 2]
    02/28-13:05:15.715340 (FW external):10158 ->
    (webserver internal):80
    TCP TTL:125 TOS:0x0 ID:47750 IpLen:20 DgmLen:315 DF
    ***AP*** Seq: 0xBD942027 Ack: 0xC3F50B15 Win: 0x4470
     TcpLen: 20

    [**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**]
    [Classification: access to a potentually vulnerable
    web application] [Priority: 2]
    02/28-13:05:15.950989 (FW external):10158 ->
    (webserver internal):80
    TCP TTL:125 TOS:0x0 ID:47753 IpLen:20 DgmLen:440 DF
    ***AP*** Seq: 0xBD94213A Ack: 0xC3F512D6 Win: 0x4470
     TcpLen: 20
    [Xref => http://www.securityfocus.com/bid/2144]

    [**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**]
    [Classification: access to a potentually vulnerable
    web application] [Priority: 2]
    02/28-13:05:16.044283 (FW external):13138 ->
    (webserver internal):80
    TCP TTL:125 TOS:0x0 ID:47761 IpLen:20 DgmLen:495 DF
    ***AP*** Seq: 0xC89D3AFF Ack: 0xC3F78F02 Win: 0x4470
     TcpLen: 20
    [Xref => http://www.securityfocus.com/bid/2144]

    [**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**]
    [Classification: access to a potentually vulnerable
    web application] [Priority: 2]
    02/28-13:05:16.138448 (FW external):11906 ->
    (webserver internal):80
    TCP TTL:125 TOS:0x0 ID:47769 IpLen:20 DgmLen:458 DF
    ***AP*** Seq: 0x464FDF86 Ack: 0xC3F87634 Win: 0x4470
     TcpLen: 20

    [**] [1:937:3] WEB-FRONTPAGE _vti_rpc access [**]
    [Classification: access to a potentually vulnerable
    web application] [Priority: 2]
    02/28-13:05:25.053931 (FW external):11906 ->
    (webserver internal):80
    TCP TTL:125 TOS:0x0 ID:47777 IpLen:20 DgmLen:474 DF
    ***AP*** Seq: 0x464FE256 Ack: 0xC3F8778B Win: 0x4319
     TcpLen: 20
    [Xref => http://www.securityfocus.com/bid/2144]

    [**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**]
    [Classification: access to a potentually vulnerable
    web application] [Priority: 2]
    02/28-13:05:25.145223 (FW external):9276 -> (webserver
    internal):80
    TCP TTL:125 TOS:0x0 ID:47785 IpLen:20 DgmLen:458 DF
    ***AP*** Seq: 0x8A046ED3 Ack: 0xC41B4951 Win: 0x4470
     TcpLen: 20

    Snort is working properly, it usually shows the
    attacker's public address in alerts. Does anyone have
    an explanation for this, other than my (SonicWall)
    firewall being the actual attack source? There's
    nothing in the firewall logs to indicate anything odd.
     Thanks in advance.

    Wade

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Greetings - Send FREE e-cards for every occasion!
    http://greetings.yahoo.com

    _______________________________________________
    Snort-users mailing list
    Snort-userslists.sourceforge.net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users