Hi!
I've got a Mandrake 9.1 server running on one of the machines on a network. I installed snort when I was setting up the server for the first time, but, seeing as how I'm a newbie, I don't really know what snort messages mean.
The major servers that I have running on the machine are Apache2, Samba, Proftpd, and SSHD.
The network address of the server is 192.168.0.100. The following are a few messages that I got from /var/logs/auth.log :
Aug 6 10:15:00 localhost sshd[22657]: refused connect from 127.0.0.1 (127.0.0.1)
Aug 6 10:15:05 localhost sshd[22621]: Received signal 15; terminating.
Aug 6 10:15:05 localhost sshd[22675]: Server listening on 0.0.0.0 port 22.
Aug 6 11:02:02 localhost snort: [1:1917:3] SCAN UPNP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 192.168.0.140:1904 -> 192.168.0.1:1900
Aug 6 11:02:52 localhost last message repeated 8 times
Aug 6 11:04:07 localhost last message repeated 12 times
Aug 6 11:04:32 localhost last message repeated 7 times
Aug 6 11:04:50 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1635 -> 192.168.0.140:139
Aug 6 11:04:52 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1636 -> 192.168.0.100:139
Aug 6 11:04:52 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1641 -> 192.168.0.140:139
Aug 6 11:04:52 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1636 -> 192.168.0.100:139
Aug 6 11:04:53 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1641 -> 192.168.0.140:139
Aug 6 11:04:56 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.137:1646 -> 192.168.0.122:139
Aug 6 11:04:57 localhost snort: [1:1917:3] SCAN UPNP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 192.168.0.140:1904 -> 192.168.0.1:1900
Aug 6 11:05:47 localhost last message repeated 8 times
Aug 6 11:07:02 localhost last message repeated 12 times
Aug 6 11:08:17 localhost last message repeated 12 times
Aug 6 11:09:07 localhost last message repeated 10 times
Aug 6 11:09:18 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.140:3776 -> 192.168.0.100:139
Aug 6 11:09:18 localhost snort: [1:2102:1] NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt [Classification: Detection of a Denial of Service Attack] [Priority: 2]: {TCP} 192.168.0.140:3778 -> 192.168.0.185:139
Aug 6 11:09:32 localhost snort: [1:1917:3] SCAN UPNP service discover attempt [Classification: Detection of a Network Scan] [Priority: 3]: {UDP} 192.168.0.140:1904 -> 192.168.0.1:1900
Aug 6 11:10:22 localhost last message repeated 8 times
Aug 6 11:11:37 localhost last message repeated 12 times
Aug 6 11:12:52 localhost last message repeated 12 times
All of the addresses seem to be coming from inside the network. The messages from the first section were repeated every minute or so, but stopped when I shut down sshd.
The rest of the messages, I assume, are coming from other computers as network scans because they can see the Samba server. Please correct me if I'm wrong.
192.168.0.100 is the server
192.168.0.140 runs WinXP
192.168.0.137 runs WinME
192.168.0.1 - I think this is the default gateway ... nor sure.
What can I do about these scans?
I'll provide any other information required. I'm just not sure what I have to post here.
Thanks for any help...
Dmitri