interpreting output of SNORT
Hello
Can someone please take a look at my latest snort report and advise me
on a course of action.... I cleaned a SuckIT rootkit off of my system
the other day (I think I got infected last Sunday). Does the snort log
indicate attempts at another hack, or that I still have a problem on my
box? My IP at the time was 138.89.107.88
Date: Thu, 29 Jul 2004 07:35:50 -0400
Events between 07 28 16:53:09 and 07 29 01:17:31
Total events: 14
Signatures recorded: 4
Source IP recorded: 4
Destination IP recorded: 2
Events from same host to same destination using same method
=======================================================================
== # of from to method
=======================================================================
== 6 138.89.107.88 65.54.184.250 (http_inspect) DOUBLE
DECODING ATTACK 3 69.19.218.60 138.89.107.88 ICMP
Destination Unreachable (Communication with Destination Network is
Administratively Prohibited) 3 206.46.170.10 138.89.107.88
ATTACK-RESPONSES id check returned root 2 65.212.179.1
138.89.107.88 ICMP Destination Unreachable (Communication
Administratively Prohibited)
Percentage and number of events from a host to a destination
============================================================
% # of from to
============================================================
42.86 6 138.89.107.88 65.54.184.250
21.43 3 69.19.218.60 138.89.107.88
21.43 3 206.46.170.10 138.89.107.88
14.29 2 65.212.179.1 138.89.107.88
Percentage and number of events from one host to any with
same method
============================================================== %
# of from method
==============================================================
42.86 6 138.89.107.88 (http_inspect) DOUBLE DECODING ATTACK
21.43 3 69.19.218.60 ICMP Destination Unreachable
(Communication with Destination Network is Administratively Prohibited)
21.43 3 206.46.170.10 ATTACK-RESPONSES id check returned root
14.29 2 65.212.179.1 ICMP Destination Unreachable
(Communication Administratively Prohibited)
Percentage and number of events to one certain host
=================================================================
% # of to method
=================================================================
42.86 6 65.54.184.250 (http_inspect) DOUBLE DECODING
ATTACK 21.43 3 138.89.107.88 ICMP Destination
Unreachable (Communication with Destination Network is Administratively
Prohibited) 21.43 3 138.89.107.88 ATTACK-RESPONSES id
check returned root 14.29 2 138.89.107.88 ICMP Destination
Unreachable (Communication Administratively Prohibited)
The distribution of event methods
===============================================
% # of method
===============================================
42.86 6 (http_inspect) DOUBLE DECODING ATTACK
6 138.89.107.88 -> 65.54.184.250
21.43 3 ATTACK-RESPONSES id check returned root
3 206.46.170.10 -> 138.89.107.88
21.43 3 ICMP Destination Unreachable
(Communication with Destination Network is Administratively Prohibited)
3 69.19.218.60 -> 138.89.107.88
14.29 2 ICMP Destination Unreachable
(Communication Administratively Prohibited)
2 65.212.179.1 -> 138.89.107.88
Shawn Lamson
shawn.lamson@verizon.net
Reply to: