[Snort-users] anything to worry about?

Fyodor fygrave at ...121...
Sun Oct 8 01:55:30 EDT 2000


~ :Whitehat's Archinid shows 3 hits for WinGate, and one has a 
~ :content of 04 5A, whereas this has several sets of 04 CF 
~ :These are both internal ip addresses behind our fire wall.
~ :
~ :Does anyone know what these are?[this is one of dozens and dozens
~ :on this xx.xx.50.0/24 subnet.]
~ :
~ :
~ :# cat *1080*
~ :[**] WinGate 1080 Attempt [**]
~ :10/06-09:42:41.874129 198.183.201.3:53 -> 172.16.50.198:1080
~ :UDP TTL:253 TOS:0x0 ID:3948  DF
~ :Len: 104
~ :00 01 85 80 00 01 00 04 00 00 00 00 06 73 65 61  .............sea
~ :72 63 68 03 6D 73 6E 03 63 6F 6D 00 00 01 00 01  rch.msn.com.....
~ :C0 0C 00 01 00 01 00 00 0E 10 00 04 CF 2E B9 63  ...............c
~ :C0 0C 00 01 00 01 00 00 0E 10 00 04 CF 2E D1 C8  ................
~ :C0 0C 00 01 00 01 00 00 0E 10 00 04 CF 2E B0 7F  ................
~ :C0 0C 00 01 00 01 00 00 0E 10 00 04 CF 2E B3 11  ................
~ :
~ :

actually it's a bit weird :) AFAIK wingate works only over TCP. The
ruleset which we distribute with snort, says so as well. What you see here
is probably just a DNS query.

misc-lib:alert tcp !$HOME_NET !53 -> $HOME_NET 1080 (msg:"MISC-WinGate-1080-Attempt";flags:S;)
misc-lib:alert tcp !$HOME_NET !53 -> $HOME_NET 8080 (msg:"MISC-WinGate-8080-Attempt";flags:S;)
scan-lib:# Watch for WinGate Scans
scan-lib:alert tcp any any -> $HOME_NET 1080 (msg:"WinGate 1080 Attempt"; flags: S;)
scan-lib:alert tcp any any -> $HOME_NET 8080 (msg:"WinGate 8080 Attempt"; flags: S;)
telnet-lib:alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET - WinGate-Active"; content:"WinGate>";)





More information about the Snort-users mailing list