LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-25-2005, 03:19 PM   #1
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Rep: Reputation: 30
snort alerts


Hello,

freeBSD 5.4

Relatively new to IDS. I have had snort in for a week or so now. I check all my logs on a daily basis. I am use to seeing stuff in httpd-error.log and vsftpd.log, however being new to snort, I am confused. I realize that this is just an intrusion detection, what should I do in response to these alerts below. I am just used to seeing ips in certain logs and then just blocking them at the firewall. However on some days this gets to be a pain as this can take quite awhile as I get hit from a wide range of ips.
I checked snort log first thing today and it seems to be picking up my laptop as trying to use ftp exploits.
Code:
[**] [1:1748:8] FTP command overflow attempt [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
11/24-14:02:32.735830 192.168.1.4:3247 -> 192.168.1.1:21
TCP TTL:128 TOS:0x0 ID:20571 IpLen:20 DgmLen:358 DF
***AP*** Seq: 0x1C5D5B76  Ack: 0x681EACAD  Win: 0x4470  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0606][Xref => http:/
/www.securityfocus.com/bid/4638]

[**] [1:1378:15] FTP wu-ftp bad file completion attempt { [**]
[Classification: Misc Attack] [Priority: 2]
11/24-14:02:32.921308 192.168.1.4:3247 -> 192.168.1.1:21
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:286
***AP*** Seq: 0x681EADE9  Ack: 0x1C5D5DAA  Win: 0xFFFF  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0886][Xref => http:/
/cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0550][Xref => http://www.securityfo
cus.com/bid/3707][Xref => http://www.securityfocus.com/bid/3581]

[**] [1:2417:2] FTP format string attempt [**]
[Classification: A suspicious string was detected] [Priority: 3]
11/24-14:02:32.921308 192.168.1.4:3247 -> 192.168.1.1:21
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:286
***AP*** Seq: 0x681EADE9  Ack: 0x1C5D5DAA  Win: 0xFFFF  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/9800]
Now this is a relatively new XP install on my laptop, about a week or so old. I was trying to ftp to my server at around this time, vsftpd and ssl. I guess I am just asking if anyone has insight into this for me?
I get alot of alerts for other things do, here is an example of a few from yesterday and today.


Code:
[**] [1:621:7] SCAN FIN [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/24-15:03:40.272725 217.162.177.129:54081 -> 192.168.1.1:6348
TCP TTL:47 TOS:0x0 ID:23295 IpLen:20 DgmLen:40 DF
*******F Seq: 0x2A3418C3  Ack: 0x0  Win: 0xFFFF  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS27]

[**] [1:621:7] SCAN FIN [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/24-15:03:40.280490 217.162.177.129:54081 -> 192.168.1.1:6348
TCP TTL:47 TOS:0x0 ID:23296 IpLen:20 DgmLen:40 DF
*******F Seq: 0x2A3418C2  Ack: 0x0  Win: 0xFFFF  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS27]

[**] [1:621:7] SCAN FIN [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/25-03:23:00.526206 217.162.183.172:54408 -> 192.168.1.1:6348
TCP TTL:47 TOS:0x0 ID:51412 IpLen:20 DgmLen:40 DF
*******F Seq: 0xD4966A0D  Ack: 0x0  Win: 0xFFFF  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS27]

[**] [1:621:7] SCAN FIN [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/25-03:23:00.529865 217.162.183.172:54408 -> 192.168.1.1:6348
TCP TTL:47 TOS:0x0 ID:51413 IpLen:20 DgmLen:40 DF
*******F Seq: 0xD4966A0C  Ack: 0x0  Win: 0xFFFF  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS27]
I realize that these are scans, and I have set my firewall to drop scans but if they are scanning my external ip they are getting my router that forwards ssh to another machine on my network and 20,21,80 to this machine.
I have snort monitoring this machine only and I was wondering how they can scan this machine behind my router when I dont forward the high ports it is scanning? I guess I am just scared. I am going to look for rkhunter for this machine now. I have it on another but not this one.
Any help is greatly appreciated in this matter if more info is needed I will gladly post.

On a side note, I am going to set ACID up to help me read my SQL snort db. Any issues with that I should know about before hand?

Thank you for any help offered.
 
Old 11-25-2005, 04:28 PM   #2
lord-fu
Member
 
Registered: Apr 2005
Location: Ohio
Distribution: Slackware && freeBSD
Posts: 676

Original Poster
Rep: Reputation: 30
I installed rkhunter and ran it and came up with this

Code:
WARNING, found:  /usr/.snap (directory)  /usr/.Trash-0 (directory)
Is that ok?

Code:
drwx------     4 root  wheel       512 Oct 27 13:41 .Trash-0
drwxrwxr-x   2 root  operator   512 Nov  8 13:35 .snap
Since I came up clean...I guess. Is it to late to install Tripwire(I imagine this answer will be yes it's to late. I should have installed right after the initial install before going online.)?
Thanks again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort Alerts ?? zahra79 Linux - Networking 5 06-22-2005 06:11 AM
Snort does not log alerts soren625 Linux - Security 0 02-10-2005 07:35 AM
Suggestions for best way to get snort alerts zuessh Linux - Security 9 08-29-2004 10:40 PM
Snort only alerts snmp gummimann Linux - Security 5 02-04-2004 02:03 PM
Snort Alerts knight_ridda Linux - Security 13 06-21-2003 05:32 PM


All times are GMT -5. The time now is 08:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration