[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Interpreting Snort results

I've installed Snort on my Debian desktop (as recommended on the Debian security advice page) but am not sure how to interpret the emails it is sending through. Here's a typical morning email - does this look like anything to worry about? (I'm already running the Firestarter firewall which gets a "Stealth" rating from the ShieldsUp test.) 

(NB I've partly obscured my own IP address.)

Events between  02 09 16:19:03  and  02 09 23:42:40
Total events: 206
Signatures recorded: 3
Source IP recorded: 1
Destination IP recorded: 9


Events from same host to same destination using same method
=========================================================================
 # of  from             to               method
=========================================================================
104 80.1.xxx.x 66.102.15.100 (http_inspect) OVERSIZE REQUEST-URI DIRECTORY 35 80.1.xxx.x 87.248.208.18 (http_inspect) DOUBLE DECODING ATTACK 34 80.1.xxx.x 87.248.208.12 (http_inspect) DOUBLE DECODING ATTACK 15 80.1.xxx.x 194.158.126.24 (http_inspect) DOUBLE DECODING ATTACK 6 80.1.xxx.x 209.10.235.166 (http_inspect) DOUBLE DECODING ATTACK 5 80.1.xxx.x 64.14.196.202 (http_inspect) DOUBLE DECODING ATTACK 3 80.1.xxx.x 194.158.126.14 (http_inspect) DOUBLE DECODING ATTACK 3 80.1.xxx.x 87.248.208.30 (http_inspect) DOUBLE DECODING ATTACK 


Percentage and number of events from a host to a destination
============================================================
  %    # of  from             to
============================================================
50.49   104  80.1.xxx.x       66.102.15.100
16.99    35  80.1.xxx.x       87.248.208.18
16.50    34  80.1.xxx.x       87.248.208.12
 7.28    15  80.1.xxx.x       194.158.126.24
 2.91     6  80.1.xxx.x       209.10.235.166
 2.43     5  80.1.xxx.x       64.14.196.202
 1.46     3  80.1.xxx.x       87.248.208.30
 1.46     3  80.1.xxx.x       194.158.126.14


Percentage and number of events from one host to any with same method
==============================================================
  %    # of  from             method
==============================================================
50.49   104  80.1.xxx.x       (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
49.03   101  80.1.xxx.x       (http_inspect) DOUBLE DECODING ATTACK


Percentage and number of events to one certain host
=================================================================
  %    # of  to               method
=================================================================
50.49   104  66.102.15.100    (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
16.99    35  87.248.208.18    (http_inspect) DOUBLE DECODING ATTACK
16.50    34  87.248.208.12    (http_inspect) DOUBLE DECODING ATTACK
 7.28    15  194.158.126.24   (http_inspect) DOUBLE DECODING ATTACK
 2.91     6  209.10.235.166   (http_inspect) DOUBLE DECODING ATTACK
 2.43     5  64.14.196.202    (http_inspect) DOUBLE DECODING ATTACK
 1.46     3  194.158.126.14   (http_inspect) DOUBLE DECODING ATTACK
 1.46     3  87.248.208.30    (http_inspect) DOUBLE DECODING ATTACK


The distribution of event methods
===============================================
  %    # of  method
===============================================
50.49   104  (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
		 104   80.1.xxx.x      -> 66.102.15.100
49.03   101  (http_inspect) DOUBLE DECODING ATTACK
		 35    80.1.xxx.x      -> 87.248.208.18
		 34    80.1.xxx.x      -> 87.248.208.12
		 15    80.1.xxx.x      -> 194.158.126.24
		 6     80.1.xxx.x      -> 209.10.235.166
		 5     80.1.xxx.x      -> 64.14.196.202
		 3     80.1.xxx.x      -> 194.158.126.14
		 3     80.1.xxx.x      -> 87.248.208.30
Reply to: