Re: [Snort-users] Suspect activity: proxy scan attempts, SNMP access,
This is a discussion on Re: [Snort-users] Suspect activity: proxy scan attempts, SNMP access, within the Snort forums, part of the System Security and Security Related category; <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-07-2004
|
|||
|
|||
Re: [Snort-users] Suspect activity: proxy scan attempts, SNMP access,
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <meta content="text/html;charset=KOI8-R" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000000"> I would go look at the suspected host and look at what it is, and what is causing these alerts. These are different information gathering packets. The https server sounds like a console for a security product from Protego Networks (google is your friend!) Take a look at this from their website, looks like they have a scanning and information gathering product:<br> <br> Protego Networks' NetSmart(tm) technology automatically creates a virtual map of the network, identifying policy and configuration issues that could lead to breaches or downtime.<br> <br> This would totally cause the alerts you're seeing here. Next step is to get off your butt and go find out who is running the device and if they should be running it or not. That is, if you are a security administrator or network admin (or network bully, for that matter). :)<br> <br> Cheers,<br> Sean<br> <br> Saken Seifullin wrote:<br> <blockquote cite="midE1BXCOF-0003Fv-00.demetrius13-mail-ru@f21.mail.ru" type="cite"> <pre wrap="">Hello all, Is it possible no one can explain these traces???? ----- Original Message ----- From: "Saken Seifullin" <<a class="moz-txt-link-abbreviated" href="mailto:demetrius13@mail.ru">demetrius13@mail .ru</a>> To: <<a class="moz-txt-link-abbreviated" href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a>> Sent: Friday, May 28, 2004 11:33 AM Subject: [Snort-users] Suspect activity: proxy scan attempts, SNMP access, etc </pre> <blockquote type="cite"> <pre wrap="">Hello all, I've noticed very suspect activity from one of our hosts of our corporate B-network. Here is the piece of a Snort log file (I changed IP of suspect host to 10.1.1.1, our IP to 10.2.2.2, and third-party IP of ISP router to 11.1.1.1). Please, could you help me to identify what was happend? Thanks a lot in advance! P.S. I tried to log on to <a class="moz-txt-link-freetext" href="https://10.1.1.1">https://10.1.1.1</a> using web brouser and I saw a web page with "PROTEGO Networks" logotype and invitation to log in using name and password. Seems there one of PROTEGO Networks'products is installed on that host. [**] [1:368:4] ICMP PING BSDtype [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:04.125738 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x62 10.1.1.1 -> 10.2.2.2 ICMP TTL:61 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:36641 Seq:0 ECHO [Xref => <a class="moz-txt-link-freetext" href="http://www.whitehats.com/info/IDS152">http://www.whitehats.com/info/IDS152</a>] [**] [1:368:4] ICMP PING BSDtype [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:05.120881 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x62 10.1.1.1 -> 10.2.2.2 ICMP TTL:61 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF Type:8 Code:0 ID:36641 Seq:256 ECHO [Xref => <a class="moz-txt-link-freetext" href="http://www.whitehats.com/info/IDS152">http://www.whitehats.com/info/IDS152</a>] [**] [1:469:1] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:05.227082 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x3C 10.1.1.1 -> 10.2.2.2 ICMP TTL:56 TOS:0x0 ID:3913 IpLen:20 DgmLen:28 Type:8 Code:0 ID:24939 Seq:7060 ECHO [Xref => <a class="moz-txt-link-freetext" href="http://www.whitehats.com/info/IDS162">http://www.whitehats.com/info/IDS162</a>] [**] [1:615:5] SCAN SOCKS Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:09.572873 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:32928 -> 10.2.2.2:1080 TCP TTL:61 TOS:0x0 ID:2481 IpLen:20 DgmLen:60 DF ******S* Seq: 0xC68E68AE Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 3105055 0 NOP WS: 0 [Xref => <a class="moz-txt-link-freetext" href="http://help.undernet.org/proxyscan/">http://help.undernet.org/proxyscan/</a>] [**] [1:1418:3] SNMP request tcp [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:11.269691 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:33031 -> 10.2.2.2:161 TCP TTL:61 TOS:0x0 ID:17572 IpLen:20 DgmLen:60 DF ******S* Seq: 0xC6C2256F Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 3105227 0 NOP WS: 0 [Xref => <a class="moz-txt-link-freetext" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013</a>][Xref => <a class="moz-txt-link-freetext" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012</a>] [**] [1:620:6] SCAN Proxy Port 8080 attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:18.118107 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:33557 -> 10.2.2.2:8080 TCP TTL:61 TOS:0x0 ID:19425 IpLen:20 DgmLen:60 DF ******S* Seq: 0xC8032F94 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 3105909 0 NOP WS: 0 [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:18.525653 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34237 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6668 -> 10.1.1.1:33570 TCP TTL:126 TOS:0x0 ID:1583 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x103A666 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:19.087067 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34330 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6668 -> 10.1.1.1:33612 TCP TTL:126 TOS:0x0 ID:1624 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x402A766 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:19.787549 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34453 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6668 -> 10.1.1.1:33654 TCP TTL:126 TOS:0x0 ID:1667 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x402A766 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:21.176282 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34734 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6667 -> 10.1.1.1:33789 TCP TTL:126 TOS:0x0 ID:1800 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x4838A966 ** END OF DUMP [**] [1:618:5] SCAN Squid Proxy attempt [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:21.527533 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:33879 -> 10.2.2.2:3128 TCP TTL:61 TOS:0x0 ID:41907 IpLen:20 DgmLen:60 DF ******S* Seq: 0xC7A6C676 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 3106245 0 NOP WS: 0 [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:21.819154 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:34935 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:33892 TCP TTL:126 TOS:0x0 ID:1902 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x103AA66 ** END OF DUMP [**] [1:1420:3] SNMP trap tcp [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:22.162782 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:33943 -> 10.2.2.2:162 TCP TTL:61 TOS:0x0 ID:26627 IpLen:20 DgmLen:60 DF ******S* Seq: 0xC7BA0E01 Ack: 0x0 Win: 0x16D0 TcpLen: 40 TCP Options (5) => MSS: 1460 SackOK TS: 3106306 0 NOP WS: 0 [Xref => <a class="moz-txt-link-freetext" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013</a>][Xref => <a class="moz-txt-link-freetext" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012</a>] [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:22.598958 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35094 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:33971 TCP TTL:126 TOS:0x0 ID:1980 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x103AA66 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:23.103595 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35172 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:34005 TCP TTL:126 TOS:0x0 ID:2014 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x402080A ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:23.777658 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35193 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:34006 TCP TTL:126 TOS:0x0 ID:2015 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x4600 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:24.415184 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35214 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:34009 TCP TTL:126 TOS:0x0 ID:2016 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x103AC66 ** END OF DUMP [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 05/27-10:55:25.038100 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x46 11.1.1.1 -> 10.2.2.2 ICMP TTL:255 TOS:0x0 ID:35221 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.2.2.2:6666 -> 10.1.1.1:34012 TCP TTL:126 TOS:0x0 ID:2017 IpLen:20 DgmLen:40 Seq: 0x0 Ack: 0x402080A ** END OF DUMP [**] [1:628:3] SCAN nmap TCP [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:25.470114 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:44347 -> 10.2.2.2:1 TCP TTL:46 TOS:0x0 ID:62358 IpLen:20 DgmLen:60 ***A**** Seq: 0x2D50C05C Ack: 0x0 Win: 0x800 TcpLen: 40 TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL [Xref => <a class="moz-txt-link-freetext" href="http://www.whitehats.com/info/IDS28">http://www.whitehats.com/info/IDS28</a>] [**] [1:1228:3] SCAN nmap XMAS [**] [Classification: Attempted Information Leak] [Priority: 2] 05/27-10:55:25.473381 0:D:29:2C:C6:60 -> 0:E:7F:29:59:EF type:0x800 len:0x4A 10.1.1.1:44348 -> 10.2.2.2:1 TCP TTL:41 TOS:0x0 ID:26303 IpLen:20 DgmLen:60 **U*P**F Seq: 0x2D50C05C Ack: 0x0 Win: 0x400 TcpLen: 40 UrgPtr: 0x0 TCP Options (5) => WS: 10 NOP MSS: 265 TS: 1061109567 0 EOL [Xref => <a class="moz-txt-link-freetext" href="http://www.whitehats.com/info/IDS30">http://www.whitehats.com/info/IDS30</a>] ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. <a class="moz-txt-link-freetext" href="http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click">http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click</a> _______________________________________________ Snort-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a> Go to this URL to change user options or unsubscribe: <a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a> Snort-users list archive: <a class="moz-txt-link-freetext" href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a> </pre> </blockquote> <pre wrap=""><!----> ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. >From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! <a class="moz-txt-link-freetext" href="http://www.installshield.com/Dev2Dev/0504">http://www.installshield.com/Dev2Dev/0504</a> _______________________________________________ Snort-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a> Go to this URL to change user options or unsubscribe: <a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a> Snort-users list archive: <a class="moz-txt-link-freetext" href="http://www.geocrawler.com/redir-sf.php3?list=snort-users">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a> </pre> </blockquote> </body> </html> ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 01:11 PM.
