[Snort-users] port 515

Gregor Binder gbinder at ...462...
Tue Apr 3 10:32:17 EDT 2001


Ball, Darryl on Tue, Apr 03, 2001 at 01:08:40PM -0000:

Darryl,

> Over the past 24 hours SNORT has indicated that I have recieved 1000
> overflow-noop-x86 attempts. Here is the is the packet data.  Any ideas whats
> running here? 

Since it's that many of them, maybe somebody is running stick against
you. Start by checking if xxx.xxx.xxx.xxx is listening on port 515. If
it is, it probably should be blocked by a firewall, at least probably
for the largest part of the population :)

To find out whether it is a valid attack or not, you will need complete
traces, if you have those, try to find out if all packets required to
form a complete TCP session are present. If you don't, and you're still
being attacked, run "tcpdump port 515" to see what's going on. Of course
if you just blocked the port, there is no way you will see a complete
session, but if the alerting goes on, you know that somebody is trying
to perform a (human) resource exhaustion attack against you.

Regards,

-- 
Gregor Binder       <gregor.binder at ...462...>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55




More information about the Snort-users mailing list