LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-06-2003, 10:37 AM   #1
troworld
Member
 
Registered: Jul 2003
Location: Toronto, ON
Distribution: Mandrake 9.1
Posts: 41

Rep: Reputation: 15
Snort. NETBIOS, and SCAN UPNP


Hi!

I've got a Mandrake 9.1 server running on one of the machines on a network. I installed snort when I was setting up the server for the first time, but, seeing as how I'm a newbie, I don't really know what snort messages mean.

The major servers that I have running on the machine are Apache2, Samba, Proftpd, and SSHD.

The network address of the server is 192.168.0.100. The following are a few messages that I got from /var/logs/auth.log :

Aug 6 10:15:00 localhost sshd[22657]: refused connect from 127.0.0.1 (127.0.0.1)
Aug 6 10:15:05 localhost sshd[22621]: Received signal 15; terminating.
Aug 6 10:15:05 localhost sshd[22675]: Server listening on 0.0.0.0 port 22.

Aug 6 11:02:02 localhost snort: [1:1917:3] SCAN UPNP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 192.168.0.140:1904 -> 192.168.0.1:1900
Aug 6 11:02:52 localhost last message repeated 8 times
Aug 6 11:04:07 localhost last message repeated 12 times
Aug 6 11:04:32 localhost last message repeated 7 times
Aug 6 11:04:50 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1635 -> 192.168.0.140:139
Aug 6 11:04:52 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1636 -> 192.168.0.100:139
Aug 6 11:04:52 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1641 -> 192.168.0.140:139
Aug 6 11:04:52 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1636 -> 192.168.0.100:139
Aug 6 11:04:53 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1641 -> 192.168.0.140:139
Aug 6 11:04:56 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1646 -> 192.168.0.122:139
Aug 6 11:04:57 localhost snort: [1:1917:3] SCAN UPNP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 192.168.0.140:1904 -> 192.168.0.1:1900
Aug 6 11:05:47 localhost last message repeated 8 times
Aug 6 11:07:02 localhost last message repeated 12 times
Aug 6 11:08:17 localhost last message repeated 12 times
Aug 6 11:09:07 localhost last message repeated 10 times
Aug 6 11:09:18 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.140:3776 -> 192.168.0.100:139
Aug 6 11:09:18 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.140:3778 -> 192.168.0.185:139
Aug 6 11:09:32 localhost snort: [1:1917:3] SCAN UPNP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 192.168.0.140:1904 -> 192.168.0.1:1900
Aug 6 11:10:22 localhost last message repeated 8 times
Aug 6 11:11:37 localhost last message repeated 12 times
Aug 6 11:12:52 localhost last message repeated 12 times

All of the addresses seem to be coming from inside the network. The messages from the first section were repeated every minute or so, but stopped when I shut down sshd.

The rest of the messages, I assume, are coming from other computers as network scans because they can see the Samba server. Please correct me if I'm wrong.

192.168.0.100 is the server
192.168.0.140 runs WinXP
192.168.0.137 runs WinME
192.168.0.1 - I think this is the default gateway ... nor sure.

What can I do about these scans?
I'll provide any other information required. I'm just not sure what I have to post here.

Thanks for any help...
Dmitri
 
Old 08-06-2003, 11:04 AM   #2
troworld
Member
 
Registered: Jul 2003
Location: Toronto, ON
Distribution: Mandrake 9.1
Posts: 41

Original Poster
Rep: Reputation: 15
Update: the NETBIOS and UPNP scans did not disappear when I shut down samba, apache, and proftpd.
 
Old 08-06-2003, 12:12 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
How about turning UPNP off instead of shutting down services: http://grc.com/UnPnP/UnPnP.htm
 
Old 08-06-2003, 05:39 PM   #4
troworld
Member
 
Registered: Jul 2003
Location: Toronto, ON
Distribution: Mandrake 9.1
Posts: 41

Original Poster
Rep: Reputation: 15
Ah .. thanks. That seems to have worked
 
Old 08-07-2003, 12:09 PM   #5
troworld
Member
 
Registered: Jul 2003
Location: Toronto, ON
Distribution: Mandrake 9.1
Posts: 41

Original Poster
Rep: Reputation: 15
Mmmm .. correction. It worked, but not fully.

I downloaded the unpnp.exe from grc.com and applied to all XP/ME machines in the office, however, Iīm still getting this from some XP machines:

Aug 7 13:06:37 localhost snort: [1:1917:3] SCAN UPNP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 192.168.0.140:1045 -> 192.168.0.1:1900

I didnīt have to do anything with my Linux box; I just had to disable UPNP on the Windows network machines, right?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
To SCAN or not to SCAN? HP750xi Suse 9.2 Pro newtwolinux Linux - Hardware 4 06-22-2005 04:02 PM
How to detect nmap SYN scan w snort jmARC Linux - Security 1 06-09-2005 11:09 AM
snort logging all outbound traffic as port-scan? Pcghost Linux - Security 3 04-20-2004 01:12 PM
SNORT Rule for netbios brute force break-in SnortUser Linux - Security 1 02-12-2004 02:28 PM
NetBIOS Scan Illegal? amaze Linux - Networking 2 08-16-2003 12:55 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration