OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alberto Gonzalez (ag-snort_at_cerebro.violating.us)
Date: Thu Oct 24 2002 - 00:52:32 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Zachary Uram wrote:

    >Hi,
    >
    >How can I tell which snort alerts I should be concerned about and which
    >are harmless? I was running various IDS programs but the trigger
    >threshold seemed so low I was getting root mailed every 20 secs with
    >some different sort of "alert" sheesh.
    >
    >
    >
    Actually, you should be concerned on _ALL_ alerts (for the first few
    days/weeks) until
    you establish whats false (if any?) or whats truly alerts/attacks. When
    I first started, I would
    research what snort gave me alerts on, learn about the attack, and to
    see if I was vulnerable.
    This has helped me greatly in my journey.

    >[**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**]
    >[Classification: Web Application Attack] [Priority: 1]
    >05/31-08:44:22.007315 209.16.250.107:2333 -> 209.166.149.198:80
    >TCP TTL:113 TOS:0x0 ID:55556 IpLen:20 DgmLen:112 DF
    >***AP*** Seq: 0xD9C61308 Ack: 0xF34FE080 Win: 0x4470 TcpLen: 20
    >[Xref => http://www.cert.org/advisories/CA-2001-19.html]
    >
    >[**] [1:1002:2] WEB-IIS cmd.exe access [**]
    >[Classification: Web Application Attack] [Priority: 1]
    >05/31-08:44:23.305171 209.16.250.107:2409 -> 209.166.149.198:80
    >TCP TTL:113 TOS:0x0 ID:55894 IpLen:20 DgmLen:120 DF
    >***AP*** Seq: 0xDA026642 Ack: 0xF3814B1A Win: 0x4470 TcpLen: 20
    >
    These really get annoying(poor access_log), I personally (and mine is
    unix based) don't care about any IIS
    attacks aimed at my network. I could careless what IIS junk they throw
    at me. You should customize your
    RULESET to pertain to your network(running services, users, etc..) No
    need to run IIS rules if your using
    Apache(same goes for other stuff as well).

    >[**] [1:620:1] SCAN Proxy attempt [**]
    >[Classification: Attempted Information Leak] [Priority: 2]
    >06/02-01:04:42.380797 66.140.25.157:41323 -> 209.114.157.102:8080
    >TCP TTL:50 TOS:0x0 ID:4457 IpLen:20 DgmLen:60 DF
    >******S* Seq: 0xB1259605 Ack: 0x0 Win: 0x16D0 TcpLen: 40
    >TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0
    >
    >[**] [1:618:1] INFO - Possible Squid Scan [**]
    >[Classification: Attempted Information Leak] [Priority: 2]
    >06/02-01:04:42.391610 66.140.25.157:41324 -> 209.114.157.102:3128
    >TCP TTL:50 TOS:0x0 ID:38290 IpLen:20 DgmLen:60 DF
    >******S* Seq: 0xB12412FE Ack: 0x0 Win: 0x16D0 TcpLen: 40
    >TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0
    >
    >
    >
    I've seen Squid scan attempts when nmap[1] is ran at your network. Just
    someone
    doing some information gathering on your subnet. I could be wrong, just
    trying to give you
    a general idea.

    >
    >[**] [100:2:1] spp_portscan: portscan status from 66.140.25.157: 5
    >connections across 1 hosts: TCP(5), UDP(0) [**]
    >06/02-01:45:57.095856
    >
    >
    Just spp_portscan letting you know whats up :-)

    >[**] [1:469:1] ICMP PING NMAP [**]
    >[Classification: Attempted Information Leak] [Priority: 2]
    >06/21-04:04:16.206809 216.17.162.57 -> 209.114.157.5
    >ICMP TTL:25 TOS:0x0 ID:39126 IpLen:20 DgmLen:28
    >Type:8 Code:0 ID:32305 Seq:0 ECHO
    >[Xref => http://www.whitehats.com/info/IDS162]
    >
    >
    >
    Pretty self explanatory.

    >[**] [1:477:1] ICMP Source Quench [**]
    >[Classification: Potentially Bad Traffic] [Priority: 2]
    >08/24-06:36:42.576710 66.37.218.174 -> 209.114.157.24
    >ICMP TTL:237 TOS:0x0 ID:12946 IpLen:20 DgmLen:56 DF
    >Type:4 Code:0 SOURCE QUENCH
    >
    >[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
    >[Classification: Misc activity] [Priority: 3]
    >09/28-10:12:25.898514 209.114.157.221 -> 209.114.157.222
    >ICMP TTL:127 TOS:0x0 ID:59706 IpLen:20 DgmLen:60
    >Type:8 Code:0 ID:49409 Seq:256 ECHO
    >[Xref => http://www.whitehats.com/info/IDS154]
    >
    >
    Can't say I've seen this before, then again, I have everything
    pertaining to windows
    turned off.. no need for 'noise'.

    Hope it Helps

        - Albert

    1. nmap http://www.insecure.org/nmap 

    -- 
The secret to success is to start from scratch and keep on scratching.

    -------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en

    _______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users