Interpreting Snort results
I've installed Snort on my Debian desktop (as recommended on the Debian
security advice page) but am not sure how to interpret the emails it is
sending through. Here's a typical morning email - does this look like
anything to worry about? (I'm already running the Firestarter firewall
which gets a "Stealth" rating from the ShieldsUp test.)
(NB I've partly obscured my own IP address.)
Events between 02 09 16:19:03 and 02 09 23:42:40
Total events: 206
Signatures recorded: 3
Source IP recorded: 1
Destination IP recorded: 9
Events from same host to same destination using same method
=========================================================================
# of from to method
=========================================================================
104 80.1.xxx.x 66.102.15.100 (http_inspect) OVERSIZE
REQUEST-URI DIRECTORY
35 80.1.xxx.x 87.248.208.18 (http_inspect) DOUBLE DECODING
ATTACK
34 80.1.xxx.x 87.248.208.12 (http_inspect) DOUBLE DECODING
ATTACK
15 80.1.xxx.x 194.158.126.24 (http_inspect) DOUBLE DECODING
ATTACK
6 80.1.xxx.x 209.10.235.166 (http_inspect) DOUBLE DECODING
ATTACK
5 80.1.xxx.x 64.14.196.202 (http_inspect) DOUBLE DECODING
ATTACK
3 80.1.xxx.x 194.158.126.14 (http_inspect) DOUBLE DECODING
ATTACK
3 80.1.xxx.x 87.248.208.30 (http_inspect) DOUBLE DECODING
ATTACK
Percentage and number of events from a host to a destination
============================================================
% # of from to
============================================================
50.49 104 80.1.xxx.x 66.102.15.100
16.99 35 80.1.xxx.x 87.248.208.18
16.50 34 80.1.xxx.x 87.248.208.12
7.28 15 80.1.xxx.x 194.158.126.24
2.91 6 80.1.xxx.x 209.10.235.166
2.43 5 80.1.xxx.x 64.14.196.202
1.46 3 80.1.xxx.x 87.248.208.30
1.46 3 80.1.xxx.x 194.158.126.14
Percentage and number of events from one host to any with same method
==============================================================
% # of from method
==============================================================
50.49 104 80.1.xxx.x (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
49.03 101 80.1.xxx.x (http_inspect) DOUBLE DECODING ATTACK
Percentage and number of events to one certain host
=================================================================
% # of to method
=================================================================
50.49 104 66.102.15.100 (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
16.99 35 87.248.208.18 (http_inspect) DOUBLE DECODING ATTACK
16.50 34 87.248.208.12 (http_inspect) DOUBLE DECODING ATTACK
7.28 15 194.158.126.24 (http_inspect) DOUBLE DECODING ATTACK
2.91 6 209.10.235.166 (http_inspect) DOUBLE DECODING ATTACK
2.43 5 64.14.196.202 (http_inspect) DOUBLE DECODING ATTACK
1.46 3 194.158.126.14 (http_inspect) DOUBLE DECODING ATTACK
1.46 3 87.248.208.30 (http_inspect) DOUBLE DECODING ATTACK
The distribution of event methods
===============================================
% # of method
===============================================
50.49 104 (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
104 80.1.xxx.x -> 66.102.15.100
49.03 101 (http_inspect) DOUBLE DECODING ATTACK
35 80.1.xxx.x -> 87.248.208.18
34 80.1.xxx.x -> 87.248.208.12
15 80.1.xxx.x -> 194.158.126.24
6 80.1.xxx.x -> 209.10.235.166
5 80.1.xxx.x -> 64.14.196.202
3 80.1.xxx.x -> 194.158.126.14
3 80.1.xxx.x -> 87.248.208.30
Reply to: