Re: Snort Question

To: debian-firewall@lists.debian.org
Subject: Re: Snort Question
From: Daniel Pittman <daniel@rimspace.net>
Date: Mon, 27 Sep 2004 19:24:38 +1000
Message-id: <[🔎] 87d608f4ix.fsf@enki.rimspace.net>
References: <c1e001c4a404$5592e050$1b004763@doloresaydelott> <200409271818.15699.frodo000@bigpond.net.au>

On 27 Sep 2004, James Sinnamon wrote:
> I haven't yet had much joy from a question, further below, which I sent to the
> Snort mailing list. Can anyone help? Any response would be appreciated, even
> if only to politely say that the question is too stupid to warrant a response.

[...]

> I have had Snort running since May on a Debian Linux system, but I still do
> not know how to use the information in /var/log/snort/alert*. I bought "Snort
> for Dummies" to kick start myself, but the description of the alert records
> does not correspond to what I find on my system.

You may well find that the book, being paper and thus prone to getting
outdated, no longer matches up with the version of Snort in Debian.

Alternately, it may be that Debian in stable is older than the book. :)

[...]

> [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
> 09/27-08:39:21.347580 147.16.81.75:32999 -> 203.26.51.42:80 TCP TTL:63 TOS:0x0
> ID:57676 IpLen:20 DgmLen:1272 DF ***AP*** Seq: 0xF0F14CE9 Ack: 0xF0CED3A Win:
> 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 175525 948682168
>
> [**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
> 09/27-08:39:32.182348 147.16.81.75:33010 -> 203.26.51.42:80 TCP TTL:63 TOS:0x0
> ID:25593 IpLen:20 DgmLen:1272 DF ***AP*** Seq: 0xF120D22B Ack: 0x778B898C Win:
> 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 176608 939098917
>
> [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
> 09/27-09:11:32.017827 147.16.81.75:33483 -> 202.139.107.20:80 TCP TTL:63
> TOS:0x0 ID:28272 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0x69DCF1BA Ack:
> 0xFBBF7BBA Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 368601
> 648869733
>
> [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
> 09/27-09:12:25.912677 147.16.81.75:33488 -> 202.139.106.174:80 TCP TTL:63
> TOS:0x0 ID:18618 IpLen:20 DgmLen:620 DF ***AP*** Seq: 0x6CC6FC5C Ack:
> 0xCED41371 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 373991
> 780114678
>
> ... do the above records contain snort ID's? The closest I can find are:
> [119:16:1], [119:15:1], and [119:2:1].

I cannot help you there, I fear.

> Also, I am not sure which of the port pairs is meant to be the source and
> which is meant to be the destination. Are the above, records of :
>
> 1) attempts to hack into my system (147.16.81.75), or
> 2) attempts by processes on my system to hack into other
> systems (203.26.51.42, 202.139.107.20, 202.139.106.174)?

The direction of the arrow (->) is a hint, I suspect. :)

Those are all HTTP based attacks, so the fact that they come from the
147.* address on a high port and go to your systems on port 80 would
also seem a bit of a hint.

So, the answer is that they are the source host and port on the left,
then the destination host and port on the right.

These represent some sort of automatic attack on your system, most
likely.


        Daniel
-- 
Heu! Tintinnuntius Meus Sonat!

Reply to:

Follow-Ups:
- Re: Snort Question
  - From: James Sinnamon <frodo000@bigpond.net.au>

Prev by Date: Secuirty trivia on Linux
Next by Date: Rezultatele scanarii cu RAV AntiVirus
Previous by thread: Secuirty trivia on Linux
Next by thread: Re: Snort Question
Index(es):
- Date
- Thread