Bluehost.com Web Hosting $6.95

[Snort-users] Suggested directions for inverstigation??

This is a discussion on [Snort-users] Suggested directions for inverstigation?? within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C4D1ED.A936EEBF Content-Type: text/plain; charset="us-ascii&...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page [Snort-users] Suggested directions for inverstigation??

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 11-24-2004
Mike Kelley
 
Posts: n/a
Default [Snort-users] Suggested directions for inverstigation??
This is a multi-part message in MIME format.

------_=_NextPart_001_01C4D1ED.A936EEBF
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I just brought up my snort\acid\mysql box.

=20

I have a situation where I am seeing hundreds of alerts with the same
source IP and the same destination IP; it seems to be getting hit by 3
alert signatures, these alerts are climbing the ports on the source but
all point back to the destination on port 80.

=20

The alerts are=20

=20

(http_inspect) APACHE WHITESPACE (TAB) =20

(http_inspect) BARE BYTE UNICODE ENCODING =20

(http_inspect) NON-RFC HTTP DELIMITER

=20

Since I'm seeing the ports increment numerically (most of the time,
sometimes there are gaps of 2-10 ports) I'm under the impression I'm
getting port scanned on the source box (internal IP on corp network) by
the destination (public IP).

=20

Would anyone (please) point me in the next direction on investigating
what is going on and what to do. My team and I can "big hammer" the
situation by formatting the destination and securing the firewall
implicitly on the source IP, but what I'm hoping to find out is what
would those of you with years of working these incidents do?

=20

Here is the ARIN whois on the source IP

**SNIP**=20

Server Used: [ whois.arin.net ]

66.182.90.242
<http://www.samspade.org/t/whois?a=3D66.182.90.242;server=3Dauto> =3D [
cust-66-182-90-242.bbsc.net
<http://www.samspade.org/t/whois?a=3D...net;server=3D=
au
to> ]=20

=20
OrgName: BroadBand Solutions America=20
OrgID: BSA-26=20
Address: 630 West 9560 South Suite A=20
City: Sandy=20
StateProv: UT=20
PostalCode: 84070=20
Country: US=20
NetRange: 66.182.64.0
<http://www.samspade.org/t/whois?a=3D66.182.64.0;server=3Dauto> -
66.182.95.255
<http://www.samspade.org/t/whois?a=3D66.182.95.255;server=3Dauto> =20
CIDR: 66.182.64.0/19=20
NetName: BBSC-NET=20
NetHandle: NET-66-182-64-0-1
<http://www.samspade.org/t/whois?a=3D...r=3Dwhois.ari=
n.n
et> =20
Parent: NET-66-0-0-0-0=20
NetType: Direct Allocation=20
NameServer: NS1.BBSC.NET
<http://www.samspade.org/t/whois?a=3DNS1.BBSC.NET;server=3Dauto> =20
NameServer: NS4.BBSC.NET
<http://www.samspade.org/t/whois?a=3DNS4.BBSC.NET;server=3Dauto> =20

=20

**SNIP**

=20

Thanks in advance to any and all suggestions (tell me which ones to read
and I'll RTFM!!!)

Mike=20

=20


------_=_NextPart_001_01C4D1ED.A936EEBF
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"City"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"country-region"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
pre
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I just brought up my snort\acid\mysql =
box.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I have a situation where I am seeing hundreds of =
alerts with
the same source IP and the same destination IP; it seems to be getting =
hit by 3
alert signatures, these alerts are climbing the ports on the source but =
all
point back to the destination on port 80.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>The alerts are <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>(http_inspect) APACHE WHITESPACE (TAB) =
&nbsp;&nbsp;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>(http_inspect) BARE BYTE UNICODE ENCODING =
&nbsp;&nbsp;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>(http_inspect) NON-RFC HTTP =
DELIMITER<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Since I’m seeing the ports increment =
numerically (most
of the time, sometimes there are gaps of 2-10 ports) I’m under the
impression I’m getting port scanned on the source box (internal IP =
on
corp network) by the destination (public =
IP).<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Would anyone (please) point me in the next direction =
on
investigating what is going on and what to do. My team and I can =
“big hammer”
the situation by formatting the destination and securing the firewall
implicitly on the source IP, but what I’m hoping to find out is =
what
would those of you with years of working these incidents =
do?<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Here is the ARIN whois on the source =
IP<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>**SNIP** <o:p></o:p></span></font></p>

<p><font size=3D3 face=3D"Times New Roman"><span lang=3DEN =
style=3D'font-size:12.0pt'>Server
Used: [ whois.arin.net ]<o:p></o:p></span></font></p>

<pre><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'><a
href=3D"http://www.samspade.org/t/whois?a=3D66.182.90.242;server=3Dauto">=
66.182.90.242</a> =3D [ <a
href=3D"http://www.samspade.org/t/whois?a=3Dcust-66-182-90-242.bbsc.net;s=
erver=3Dauto">cust-66-182-90-242.bbsc.net</a> ] <br>
&nbsp;<o:p></o:p></span></font></pre><pre><font size=3D2 face=3D"Courier =
New"><span
style=3D'font-size:10.0pt'>&nbsp; OrgName:&nbsp;&nbsp;&nbsp; BroadBand =
Solutions <st1:country-region
w:st=3D"on"><st1:place =
w:st=3D"on">America</st1:place></st1:country-region> =
<o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;OrgID:&nbsp;&nbsp;&nbsp;& nbsp;&nbs=
p; BSA-26 <o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;Address:&nbsp;&nbsp;&nbsp ; 630 =
West 9560 South Suite A <o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;City:&nbsp;&nbsp;&nbsp;&n bsp;&nbsp=
;&nbsp; <st1:City
w:st=3D"on"><st1:place w:st=3D"on">Sandy</st1:place></st1:City> =
<o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;StateProv:&nbsp; UT =
<o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;PostalCode: 84070 =
<o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;Country:&nbsp;&nbsp;&nbsp ; US =
<o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;NetRange:&nbsp;&nbsp; <a
href=3D"http://www.samspade.org/t/whois?a=3D66.182.64.0;server=3Dauto">66=
..182.64.0</a> - <a
href=3D"http://www.samspade.org/t/whois?a=3D66.182.95.255;server=3Dauto">=
66.182.95.255</a> <o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;CIDR:&nbsp;&nbsp;&nbsp;&n bsp;&nbsp=
;&nbsp; 66.182.64.0/19 <o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;NetName:&nbsp;&nbsp;&nbsp ; =
BBSC-NET <o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;NetHandle:&nbsp;&nbsp; <a
href=3D"http://www.samspade.org/t/whois?a=3DNET-66-182-64-0-1;server=3Dwh=
ois.arin.net">NET-66-182-64-0-1</a> =
<o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;Parent:&nbsp;&nbsp;&nbsp; &nbsp; =
NET-66-0-0-0-0 <o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;NetType:&nbsp;&nbsp;&nbsp ; Direct =
Allocation <o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;NameServer: <a
href=3D"http://www.samspade.org/t/whois?a=3DNS1.BBSC.NET;server=3Dauto">N=
S1.BBSC.NET</a> <o:p></o:p></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>&nbsp;&nbsp;NameServer: <a
href=3D"http://www.samspade.org/t/whois?a=3DNS4.BBSC.NET;server=3Dauto">N=
S4.BBSC.NET</a> <o:p></o:p></span></font></pre>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>**SNIP**<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Thanks in advance to any and all suggestions (tell me =
which
ones to read and I’ll RTFM!!!)<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Mike =
</span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C4D1ED.A936EEBF--


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 03:44 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0