Hi,

I am experiencing alot of outbound traffic from my internal network which is filtered by snort.

These are the descriptions:

DOUBLE DECODING ATTACK
OVERSIZE REQUEST-URI DIRECTORY
TCP Portscan (from my Linux server!)

Even get some attacks from my providers modem?! Thats is on the internetside of my network . . . Strange, strange . . .

I looked around on the internet but I could not find a explination what this is. I saw alot of technical jargon, which I dont understand. Can someone tell me in Dummy speak, what these alerts are?

It is outbound traffic, targetet at several ipadressen. I have installed Spybot search and Destroy on the Windows machines. I have scanned all windows machines with runscanner.exe (www.runscanner.com). I have scanned my server for rootkits (rkhunter) I have deleted all potential bad programs on the windows XP machines (found nothing on the Linuxserver )
but I still get the alerts.

Is it a real alert, or is false alarm?

Thanx for your help!

With only a few alert messages, I'm afraid no one on the planet capable of determining whether they are false positives or not. It could be anything from snort's variables in the config not being correct, to an actual attack, a false positive, etc.

Anyone who analyzes alerts from an IDS needs a combination of the skills and appropriate data to weed out false positives.

For example does the rule that triggered the alert look very simple which could trigger a lot of false positives, or is it very specific? What is the payload of the packet that triggered the alert? Was there any suspicious activity involving the the source or destination that happened at around the time of the alert?

If you post more information such as the packet contents, make sure you censor any sensitive data.

Thanx OldRoy.
How can I get that information you are looking for?

Kind regardz,

Engel

OP,

Check your README files in your docs/ directory in your Snort install. The one you want to read is README.http_inspect. That doc will highlight your top two alerts. The bottom one (TCP portscan) will either be addressed by README.http_inspect or your snort.conf file (or whatver your .conf file is named).

Note that you WILL see outbound port scans (that is, originating from your LAN IP(s)) if you haven't yet tuned the portscan parameters. This is Snort doing its job, as the insider threat in corporate (and home) environments is substantial. This preprocessor can pick up legitimate network services polling, also. You can either filter these, threshold them, or investigate them. I think it is a worthwhile alert, even if it alerts to a host on my LAN. More than likely, it is benign but at least something is looking for outbound or internal traffic...this is something that may not show in your FW or systems' logs.

Thanx alot. I will investigate asap