RE: Snort Log?
> Hello, people, this my first time in this list.
>
> I've a question for all you guys.
> I'm running a woody with snort installed and configured to listen on the
> ppp0, I'received this snort daily report:
>
> 3) IDS246 - MISC - Large ICMP Packet: xxx.xx.xx.xx -> home_net
>
> After seeking the /var/log/auth.log, I found that I recieve this type of
> packet every time I connect to the Web server running on this IP.
>
> What kind of game is it?. It's a AIX features (the OS that the host
> claims to run)?
>
> There is good (even to check if the client IP isn't spoofed) reason to
> make this?
this is probably just it using a large ICMP to determine your MTU (maximum
transfer unit). you can add a rule for ICMP from that IP, using logs. if
it's 1500 (the usual MTU), ignore. i had a NTP server do that to me, it
turned out to be a misconfigured server.
> Another question: sometime I receive alert like this, coming from the
> same IP (but, I think, this is a hosted website on his IP)
>
> IDS244 - CVE-1999-0771 - Compaq-insight-dot-dot: xxx.xx.xx.xx:80 ->
> my_home_net
>
> I think's this a probe to see, if I'm running a Compaq Management
> Agents to exploit a .. attack? Right?
<rule>
alert tcp !$HOME_NET any -> $HOME_NET 2301 (msg:"IDS244 - CVE-1999-0771 -
Compaq-insight-dot-dot"; content: "../";)
</rule>
this means, it's quite possible this is just a false alarm. ../ is a very
usual thing to put in a script. check with the system administrator, just to
be sure.
my suggestion, however, would be to prune out whatever rules you don't need.
there's no need for monitoring for something you quite simply don't run, so
why risk false reports?
> TIA for the answers.
you're welcome.
-m
When you are having a bad day, and it seems like everybody is trying to piss
you off, remember that it takes 42 muscles to produce a frown, but only 4
muscles to work the trigger of a good sniper rifle.
Reply to: