Snort mailing list archives
RE: how to handle this problem
From: "derk van de Velde" <derk () pcvisie nl>
Date: Thu, 20 May 2004 16:17:55 +0200
hi, i installed snort because some weeks ago, one machin inside our network attacked a lot of machines outside. so we were blocked by my isp. i think snort is a good product to signal thise attacks, is that correct? because sometimes i get many alerts aday, is snortalog a good way to track them? is there a better way to find (fast) the real severe alerts? thanks and regards, derk -----Oorspronkelijk bericht----- Van: AJ Butcher, Information Systems and Computing [mailto:Alex.Butcher () bristol ac uk] Verzonden: donderdag 20 mei 2004 15:54 Aan: derk van de Velde; snort user Onderwerp: Re: [Snort-users] how to handle this problem --On 20 May 2004 14:54 +0200 derk van de Velde <derk () pcvisie nl> wrote:
hi,
if found this in met authlog from snort
May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront
arbitrary command execution attempt [Classification: Web Application
Attack] [Priority: 1]: {TCP} 10.0.3.128:4978 -> 207.46.130.110:80
May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront
arbitrary command execution attempt [Classification: Web Application
Attack] [Priority: 1]: {TCP} 10.0.3.128:4979 -> 207.46.130.110:80
snortalog said high
when i check the 2307 sid on snort.org, it is not clear to me how t handle
this.
1) Check who the target machine (207.46.130.110) belongs to. According to WHOIS, it's Hotmail, so /if/ this /is/ a real attack, it's one of your users (I assume, from the 10.0.0.0/8 address) attacking Hotmail. 2) Verify whether the target machine is using PayPal Storefront. I would suggest "probably not". 3) Examine the payload of the packets that triggered the alert and compare with the rule to determine whether the rule might be a bit too dumb, and could be triggered by innocuous traffic (e.g. email, web pages, image files).
what steps should i take
If this is a real attack (I would guess not), the rest depends on your organisation's policy for dealing with misuse of its computer systems and networks. This is almost certainly a legal, rather than a technical matter.
regards, derk
HTH, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to handle this problem derk van de Velde (May 20)
- Re: how to handle this problem AJ Butcher, Information Systems and Computing (May 20)
- RE: how to handle this problem derk van de Velde (May 20)
- RE: how to handle this problem AJ Butcher, Information Systems and Computing (May 20)
- RE: how to handle this problem derk van de Velde (May 20)
- <Possible follow-ups>
- RE: how to handle this problem Corey Rock (May 20)
- RE: how to handle this problem derk van de Velde (May 21)
- RE: (2) how to handle this problem derk van de Velde (May 21)
- RE: how to handle this problem Corey Rock (May 22)
- Re: how to handle this problem AJ Butcher, Information Systems and Computing (May 20)