Very Computer

by **B. Joshua Rose** » Wed, 10 Apr 2002 01:05:56

I installed snort yesterday because I've had a possible breakin (that's
another thread). The alert file had some things in it this morning and I
was wondering if these are real attacks or if Snort is just over
sensitive. I think that all of these attempts are looking for Microsoft
exploits so they can't effect me. I tried to lookup the IPs of the
attackers, 64.94.220.18 is unknown but 204.57.71.8 is pricewatch. I
access pricewatch all the time so is it possible that Snort is just
misinterpreting a perfectly benign operation?

[**] [1:882:1] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/07-23:37:38.197745 xx.xxx.xxx.65:62954 -> 64.94.220.18:80
TCP TTL:63 TOS:0x10 ID:3362 IpLen:20 DgmLen:621 DF
***AP*** Seq: 0x14C0BA79 Ack: 0x9D9C91D Win: 0x2D40 TcpLen: 32
TCP Options (3) => NOP NOP TS: 9812763 1709877

[**] [1:882:1] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/07-23:37:38.353621 xx.xxx.xxx.65:62953 -> 64.94.220.18:80
TCP TTL:63 TOS:0x10 ID:47566 IpLen:20 DgmLen:622 DF
***AP*** Seq: 0x14322FA1 Ack: 0x9BE97AF Win: 0xF8E0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 9812779 1709879

[**] [1:882:1] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/07-23:37:38.596397 xx.xxx.xxx.65:62954 -> 64.94.220.18:80
TCP TTL:63 TOS:0x10 ID:3365 IpLen:20 DgmLen:618 DF
***AP*** Seq: 0x14C0BCB2 Ack: 0x9D9CB5C Win: 0x3890 TcpLen: 32
TCP Options (3) => NOP NOP TS: 9812803 1709880

[**] [1:882:1] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/07-23:37:38.751752 xx.xxx.xxx.65:62953 -> 64.94.220.18:80
TCP TTL:63 TOS:0x10 ID:47569 IpLen:20 DgmLen:621 DF
***AP*** Seq: 0x143231DB Ack: 0x9BE99B4 Win: 0xF8E0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 9812818 1709882

[**] [1:1244:2] WEB-IIS ISAPI .idq attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/07-23:40:31.458472 xx.xxx.xxx.65:62968 -> 204.57.71.8:80
TCP TTL:63 TOS:0x10 ID:57181 IpLen:20 DgmLen:625 DF
***AP*** Seq: 0x1FF821ED Ack: 0x6D351052 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 9830090 0
[Xref => http://www.whitehats.com/info/IDS553]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]

by **Tim Hayne** » Wed, 10 Apr 2002 01:38:44

Quote:> I installed snort yesterday because I've had a possible breakin (that's
> another thread). The alert file had some things in it this morning and I
> was wondering if these are real attacks or if Snort is just over
> sensitive.

It can be - I get one or two alerts just for Code Red and/or Nimda.

Best bet is to run tcpdump on the packets that it logs - you'll see if you
recognize the content that way.

~Tim
--
17:38:06 up 152 days, 18:17, 11 users, load average: 0.06, 0.13, 0.20

http://piglet.is.dreaming.org |Sinking suns on a sea of thrills

by **ujay** » Wed, 10 Apr 2002 03:10:36

> I installed snort yesterday because I've had a possible breakin (that's
> another thread). The alert file had some things in it this morning and I
> was wondering if these are real attacks or if Snort is just over
> sensitive. I think that all of these attempts are looking for Microsoft
> exploits so they can't effect me. I tried to lookup the IPs of the
> attackers, 64.94.220.18 is unknown but 204.57.71.8 is pricewatch. I
> access pricewatch all the time so is it possible that Snort is just
> misinterpreting a perfectly benign operation?

> [**] [1:882:1] WEB-CGI calendar access [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 04/07-23:37:38.197745 xx.xxx.xxx.65:62954 -> 64.94.220.18:80
> TCP TTL:63 TOS:0x10 ID:3362 IpLen:20 DgmLen:621 DF
> ***AP*** Seq: 0x14C0BA79 Ack: 0x9D9C91D Win: 0x2D40 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 9812763 1709877

> [**] [1:882:1] WEB-CGI calendar access [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 04/07-23:37:38.353621 xx.xxx.xxx.65:62953 -> 64.94.220.18:80
> TCP TTL:63 TOS:0x10 ID:47566 IpLen:20 DgmLen:622 DF
> ***AP*** Seq: 0x14322FA1 Ack: 0x9BE97AF Win: 0xF8E0 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 9812779 1709879

> [**] [1:882:1] WEB-CGI calendar access [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 04/07-23:37:38.596397 xx.xxx.xxx.65:62954 -> 64.94.220.18:80
> TCP TTL:63 TOS:0x10 ID:3365 IpLen:20 DgmLen:618 DF
> ***AP*** Seq: 0x14C0BCB2 Ack: 0x9D9CB5C Win: 0x3890 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 9812803 1709880

> [**] [1:882:1] WEB-CGI calendar access [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 04/07-23:37:38.751752 xx.xxx.xxx.65:62953 -> 64.94.220.18:80
> TCP TTL:63 TOS:0x10 ID:47569 IpLen:20 DgmLen:621 DF
> ***AP*** Seq: 0x143231DB Ack: 0x9BE99B4 Win: 0xF8E0 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 9812818 1709882

> [**] [1:1244:2] WEB-IIS ISAPI .idq attempt [**]
> [Classification: Web Application Attack] [Priority: 1]
> 04/07-23:40:31.458472 xx.xxx.xxx.65:62968 -> 204.57.71.8:80
> TCP TTL:63 TOS:0x10 ID:57181 IpLen:20 DgmLen:625 DF
> ***AP*** Seq: 0x1FF821ED Ack: 0x6D351052 Win: 0x16D0 TcpLen: 32
> TCP Options (3) => NOP NOP TS: 9830090 0
> [Xref => http://www.whitehats.com/info/IDS553]
> [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]

Snort can give false positives. I'd bet if you looked at the packets
under /var/log/snort/204.57.71.8 (or your ip), you would find that you
were browsing a web page that contained a link to /calender.

I get tons of these types of snort messages, but still like to confirm
each of them. The clue here was the communications direction
xx.xxx.xxx.65:62968 -> 204.57.71.8:80 indicating request from your
machine to the remote http port.

by **drumsti** » Wed, 10 Apr 2002 04:40:03

> I installed snort yesterday because I've had a possible breakin (that's
> another thread). The alert file had some things in it this morning and I
> was wondering if these are real attacks or if Snort is just over
> sensitive. I think that all of these attempts are looking for Microsoft
> exploits so they can't effect me. I tried to lookup the IPs of the
> attackers, 64.94.220.18 is unknown but 204.57.71.8 is pricewatch. I
> access pricewatch all the time so is it possible that Snort is just
> misinterpreting a perfectly benign operation?
> [**] [1:882:1] WEB-CGI calendar access [**] [Classification: Attempted
> Information Leak] [Priority: 2] 04/07-23:37:38.197745
> xx.xxx.xxx.65:62954 -> 64.94.220.18:80 TCP TTL:63 TOS:0x10 ID:3362
> IpLen:20 DgmLen:621 DF ***AP*** Seq: 0x14C0BA79 Ack: 0x9D9C91D Win:
> 0x2D40 TcpLen: 32 TCP Options (3) => NOP NOP TS: 9812763 1709877

Well, this was an outgoing connection. The arrow is pointing away from
you, so it means that you were accessing the cgi calendar. Nothing wrong
with this. If you want, comment it out of your rules file.

Quote:> [**] [1:1244:2] WEB-IIS ISAPI .idq attempt [**] [Classification: Web
> Application Attack] [Priority: 1] 04/07-23:40:31.458472
> xx.xxx.xxx.65:62968 -> 204.57.71.8:80 TCP TTL:63 TOS:0x10 ID:57181
> IpLen:20 DgmLen:625 DF ***AP*** Seq: 0x1FF821ED Ack: 0x6D351052 Win:
> 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 9830090 0 [Xref =>
> http://www.whitehats.com/info/IDS553] [Xref =>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]

Again, this one's coming from you, so there's nothing to worry about.

If thsi were the other way around, it might be an attack against an IIS
(microsoft) server. Either way, nothing for you to worry about

--
drumstik

www.ameriphreak.com
http://phreaks.freeshell.org/files/valuhack.exe

Very Computer

Help with Snort alerts

Help with Snort alerts

Help with Snort alerts

Help with Snort alerts

Help with Snort alerts