[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

interpreting output of SNORT



Hello

Can someone please take a look at my latest snort report and advise me
on a course of action.... I cleaned a SuckIT rootkit off of my system
the other day (I think I got infected last Sunday).  Does the snort log
indicate attempts at another hack, or that I still have a problem on my
box?  My IP at the time was 138.89.107.88


Date: Thu, 29 Jul 2004 07:35:50 -0400

Events between  07 28 16:53:09  and  07 29 01:17:31
Total events: 14
Signatures recorded: 4
Source IP recorded: 4
Destination IP recorded: 2


Events from same host to same destination using same method
=======================================================================
== # of  from             to               method

=======================================================================
==     6  138.89.107.88    65.54.184.250    (http_inspect) DOUBLE
DECODING ATTACK         3  69.19.218.60     138.89.107.88    ICMP
Destination Unreachable (Communication with Destination Network is
Administratively Prohibited)	     3  206.46.170.10    138.89.107.88   
ATTACK-RESPONSES id check returned root	         2  65.212.179.1    
138.89.107.88    ICMP Destination Unreachable (Communication
Administratively Prohibited)


		 Percentage and number of events from a host to a destination
		 ============================================================
		   %    # of  from             to               
		   ============================================================
		   42.86     6  138.89.107.88    65.54.184.250  
		   21.43     3  69.19.218.60     138.89.107.88  
		   21.43     3  206.46.170.10    138.89.107.88  
		   14.29     2  65.212.179.1     138.89.107.88  


		   Percentage and number of events from one host to any with
same method		  
==============================================================		     %  
 # of  from             method		    
==============================================================		    
42.86     6  138.89.107.88    (http_inspect) DOUBLE DECODING ATTACK		    
21.43     3  69.19.218.60     ICMP Destination Unreachable
(Communication with Destination Network is Administratively Prohibited)		    
21.43     3  206.46.170.10    ATTACK-RESPONSES id check returned root	
     14.29     2  65.212.179.1     ICMP Destination Unreachable
(Communication Administratively Prohibited)


		     Percentage and number of events to one certain host
		    
=================================================================		
      %    # of  to               method		      
=================================================================		
      42.86     6  65.54.184.250    (http_inspect) DOUBLE DECODING
ATTACK		       21.43     3  138.89.107.88    ICMP Destination
Unreachable (Communication with Destination Network is Administratively
Prohibited)		       21.43     3  138.89.107.88    ATTACK-RESPONSES id
check returned root		       14.29     2  138.89.107.88    ICMP Destination
Unreachable (Communication Administratively Prohibited)


		       The distribution of event methods
		       ===============================================
		         %    # of  method
			 ===============================================
			 42.86     6  (http_inspect) DOUBLE DECODING ATTACK
			 		 6     138.89.107.88   -> 65.54.184.250  
					 21.43     3  ATTACK-RESPONSES id check returned root
					 		 3     206.46.170.10   -> 138.89.107.88  
							 21.43     3  ICMP Destination Unreachable
(Communication with Destination Network is Administratively Prohibited)			
			 		 3     69.19.218.60    -> 138.89.107.88  			
					 14.29     2  ICMP Destination Unreachable
(Communication Administratively Prohibited)								
 		 2     65.212.179.1    -> 138.89.107.88  





Shawn Lamson
shawn.lamson@verizon.net



Reply to: