Snort mailing list archives
Re: Linux and packet loss
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Fri, 3 Aug 2001 09:28:24 +1200
On Thu, Aug 02, 2001 at 10:27:42AM +0100, Matthew Collins wrote:
I've found out what was going on here. All our inbound traffic comes through a reverse proxy server. The IDS only logs the Internet to Firewall traffic, and the reverse proxy is behind the firewall.
That doesn't apply to the problem I'm seeing :-(
I can see 36 occurances of "GET /def...." in my Apache logs now, and snort
has picked up 4 of them.
The last one snort picked up was:
Aug 2 22:47:13 pluto snort: [1:1243:1] WEB-IIS ISAPI .XXX attempt
[Classification: Attempted Administrator Privilege Gain] [Priority: 10]:
<eth0> {TCP} 203.247.199.10:3044 -> 203.167.239.195:80
Apache logs 13 such attempts after that...
I just manually telneted to port 80 on our web server and typed in that
appropriate string - snort logged it immediately (yes, snort is logging
attempts from both our LAN and the Internet).
The rule is:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .XXX
attempt"; uricontent:".XXX?"; nocase; dsize:>239; flags:A+;
reference:arachnids,552; classtype:attempted-admin;
reference:cve,CAN-2000-0071; sid:1243; rev:1;)
And all of the Apache logfile entries show the likes of:
GET /default.XXX?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN\
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN\
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN\
NNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3\
%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a\
HTTP/1.0" 404 295 "-" "-" "-" "-" "-" "-" "-"
(I've replaced you-know-what with XXX)
Could this be a problem with stream4_reassemble or the defragger module?
Could some mistake there be throwing off the alerts?
I'm still seeing the odd Code Red packet coming through. I'll run up tcpdump
on the same host as snort and see if it catches anything snort doesn't.
--
Cheers
Jason Haar
Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss), (continued)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Steve Williams (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Jason Haar (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Andreas Östling (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Daniel Harrison (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Martin Roesch (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Phil Wood (Aug 02)
- ACID and MySQL questions Jason Lewis (Aug 02)
- Re: ACID and MySQL questions meling (Aug 03)