Help with Snort alerts

Help with Snort alerts

Post by B. Joshua Rose » Wed, 10 Apr 2002 01:05:56



I installed snort yesterday because I've had a possible breakin (that's
another thread). The alert file had some things in it this morning and I
was wondering if these are real attacks or if Snort is just over
sensitive. I think that all of these attempts are looking for Microsoft
exploits so they can't effect me. I tried to lookup the IPs of the
attackers, 64.94.220.18 is unknown but 204.57.71.8 is pricewatch. I
access pricewatch all the time so is it possible that Snort is just
misinterpreting a perfectly benign operation?

[**] [1:882:1] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/07-23:37:38.197745 xx.xxx.xxx.65:62954 -> 64.94.220.18:80
TCP TTL:63 TOS:0x10 ID:3362 IpLen:20 DgmLen:621 DF
***AP*** Seq: 0x14C0BA79  Ack: 0x9D9C91D  Win: 0x2D40  TcpLen: 32
TCP Options (3) => NOP NOP TS: 9812763 1709877

[**] [1:882:1] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/07-23:37:38.353621 xx.xxx.xxx.65:62953 -> 64.94.220.18:80
TCP TTL:63 TOS:0x10 ID:47566 IpLen:20 DgmLen:622 DF
***AP*** Seq: 0x14322FA1  Ack: 0x9BE97AF  Win: 0xF8E0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 9812779 1709879

[**] [1:882:1] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/07-23:37:38.596397 xx.xxx.xxx.65:62954 -> 64.94.220.18:80
TCP TTL:63 TOS:0x10 ID:3365 IpLen:20 DgmLen:618 DF
***AP*** Seq: 0x14C0BCB2  Ack: 0x9D9CB5C  Win: 0x3890  TcpLen: 32
TCP Options (3) => NOP NOP TS: 9812803 1709880

[**] [1:882:1] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/07-23:37:38.751752 xx.xxx.xxx.65:62953 -> 64.94.220.18:80
TCP TTL:63 TOS:0x10 ID:47569 IpLen:20 DgmLen:621 DF
***AP*** Seq: 0x143231DB  Ack: 0x9BE99B4  Win: 0xF8E0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 9812818 1709882

[**] [1:1244:2] WEB-IIS ISAPI .idq attempt [**]
[Classification: Web Application Attack] [Priority: 1]
04/07-23:40:31.458472 xx.xxx.xxx.65:62968 -> 204.57.71.8:80
TCP TTL:63 TOS:0x10 ID:57181 IpLen:20 DgmLen:625 DF
***AP*** Seq: 0x1FF821ED  Ack: 0x6D351052  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 9830090 0
[Xref => http://www.whitehats.com/info/IDS553]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]

 
 
 

Help with Snort alerts

Post by Tim Hayne » Wed, 10 Apr 2002 01:38:44



Quote:> I installed snort yesterday because I've had a possible breakin (that's
> another thread). The alert file had some things in it this morning and I
> was wondering if these are real attacks or if Snort is just over
> sensitive.

It can be - I get one or two alerts just for Code Red and/or Nimda.

Best bet is to run tcpdump on the packets that it logs - you'll see if you
recognize the content that way.

~Tim
--
  17:38:06 up 152 days, 18:17, 11 users,  load average: 0.06, 0.13, 0.20

http://piglet.is.dreaming.org     |Sinking suns on a sea of thrills

 
 
 

Help with Snort alerts

Post by ujay » Wed, 10 Apr 2002 03:10:36



> I installed snort yesterday because I've had a possible breakin (that's
> another thread). The alert file had some things in it this morning and I
> was wondering if these are real attacks or if Snort is just over
> sensitive. I think that all of these attempts are looking for Microsoft
> exploits so they can't effect me. I tried to lookup the IPs of the
> attackers, 64.94.220.18 is unknown but 204.57.71.8 is pricewatch. I
> access pricewatch all the time so is it possible that Snort is just
> misinterpreting a perfectly benign operation?

> [**] [1:882:1] WEB-CGI calendar access [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 04/07-23:37:38.197745 xx.xxx.xxx.65:62954 -> 64.94.220.18:80
> TCP TTL:63 TOS:0x10 ID:3362 IpLen:20 DgmLen:621 DF
> ***AP*** Seq: 0x14C0BA79  Ack: 0x9D9C91D  Win: 0x2D40  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 9812763 1709877

> [**] [1:882:1] WEB-CGI calendar access [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 04/07-23:37:38.353621 xx.xxx.xxx.65:62953 -> 64.94.220.18:80
> TCP TTL:63 TOS:0x10 ID:47566 IpLen:20 DgmLen:622 DF
> ***AP*** Seq: 0x14322FA1  Ack: 0x9BE97AF  Win: 0xF8E0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 9812779 1709879

> [**] [1:882:1] WEB-CGI calendar access [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 04/07-23:37:38.596397 xx.xxx.xxx.65:62954 -> 64.94.220.18:80
> TCP TTL:63 TOS:0x10 ID:3365 IpLen:20 DgmLen:618 DF
> ***AP*** Seq: 0x14C0BCB2  Ack: 0x9D9CB5C  Win: 0x3890  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 9812803 1709880

> [**] [1:882:1] WEB-CGI calendar access [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 04/07-23:37:38.751752 xx.xxx.xxx.65:62953 -> 64.94.220.18:80
> TCP TTL:63 TOS:0x10 ID:47569 IpLen:20 DgmLen:621 DF
> ***AP*** Seq: 0x143231DB  Ack: 0x9BE99B4  Win: 0xF8E0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 9812818 1709882

> [**] [1:1244:2] WEB-IIS ISAPI .idq attempt [**]
> [Classification: Web Application Attack] [Priority: 1]
> 04/07-23:40:31.458472 xx.xxx.xxx.65:62968 -> 204.57.71.8:80
> TCP TTL:63 TOS:0x10 ID:57181 IpLen:20 DgmLen:625 DF
> ***AP*** Seq: 0x1FF821ED  Ack: 0x6D351052  Win: 0x16D0  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 9830090 0
> [Xref => http://www.whitehats.com/info/IDS553]
> [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]

Snort can give false positives. I'd bet if you looked at the packets
under /var/log/snort/204.57.71.8 (or your ip), you would find that you
were browsing a web page that contained a link to /calender.

I get tons of these types of snort messages, but still like to confirm
each of them.  The clue here was the communications direction
xx.xxx.xxx.65:62968 -> 204.57.71.8:80  indicating request from your
machine to the remote http port.

 
 
 

Help with Snort alerts

Post by drumsti » Wed, 10 Apr 2002 04:40:03



> I installed snort yesterday because I've had a possible breakin (that's
> another thread). The alert file had some things in it this morning and I
> was wondering if these are real attacks or if Snort is just over
> sensitive. I think that all of these attempts are looking for Microsoft
> exploits so they can't effect me. I tried to lookup the IPs of the
> attackers, 64.94.220.18 is unknown but 204.57.71.8 is pricewatch. I
> access pricewatch all the time so is it possible that Snort is just
> misinterpreting a perfectly benign operation?
> [**] [1:882:1] WEB-CGI calendar access [**] [Classification: Attempted
> Information Leak] [Priority: 2] 04/07-23:37:38.197745
> xx.xxx.xxx.65:62954 -> 64.94.220.18:80 TCP TTL:63 TOS:0x10 ID:3362
> IpLen:20 DgmLen:621 DF ***AP*** Seq: 0x14C0BA79  Ack: 0x9D9C91D  Win:
> 0x2D40  TcpLen: 32 TCP Options (3) => NOP NOP TS: 9812763 1709877

Well, this was an outgoing connection.  The arrow is pointing away from
you, so it means that you were accessing the cgi calendar.  Nothing wrong
with this.  If you want, comment it out of your rules file.

Quote:> [**] [1:1244:2] WEB-IIS ISAPI .idq attempt [**] [Classification: Web
> Application Attack] [Priority: 1] 04/07-23:40:31.458472
> xx.xxx.xxx.65:62968 -> 204.57.71.8:80 TCP TTL:63 TOS:0x10 ID:57181
> IpLen:20 DgmLen:625 DF ***AP*** Seq: 0x1FF821ED  Ack: 0x6D351052  Win:
> 0x16D0  TcpLen: 32 TCP Options (3) => NOP NOP TS: 9830090 0 [Xref =>
> http://www.whitehats.com/info/IDS553] [Xref =>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071]

Again, this one's coming from you, so there's nothing to worry about.

If thsi were the other way around, it might be an attack against an IIS
(microsoft) server.  Either way, nothing for you to worry about

--
drumstik

www.ameriphreak.com
http://phreaks.freeshell.org/files/valuhack.exe

 
 
 

1. help needed to understand the following snort loged alerts

04/04-23:08:30.497542 [**] ICMP Destination Unreachable [**] 12.122.5.53 ->
xxxxx

04/04-23:51:19.714135 [**] ICMP Source Quench [**] 61.155.90.175 -> xxxxx

04/05-00:44:58.145785 [**] ICMP Time Exceeded [**] 128.220.24.1 -> xxxxx

04/05-00:47:07.008705 [**] ICMP Destination Unreachable [**]
61.155.90.175 -> xxxxx

xxxxx is my own ip address

I really appreciate your help. Thanks!

2. [PATCH] EVMS core 3/4: evms_ioctl.h

3. Real-Time Alerting with Snort

4. Q:Installing Windowmaker 0.15.1?!

5. sending snort intrusion alerts to a win client via samba

6. gnu development system

7. snort alert

8. Crash Recovery method & System Backup

9. Snort isn't alerting/logging..

10. SNORT....alert file

11. snort - box snort: ERROR: Unable to open rules file: webcgi-lib

12. Snort is running, i scanned my computer, but nothing appears in the snort logs

13. snort logging - snort.conf