[Snort-users] SCAN PROXY attempt

Togan Muftuoglu toganm at ...603...
Wed Apr 25 05:23:03 EDT 2001


Hi everyone,

Now today I have a weird scan proxy attemp since this time it is going
from my ip to another one.  nslookup for 199.105.191.134 shows
nav4.itworld.com and as a matter of fact I was surfing itworld pages.
I do not use a proxy server be it local nor isp provided. Now IMHO  it
looks like I either have a misconfigured snort.conf or there is
something wrong with the rules or something is inside that I have not
find out yet. Any ideas to start checking the snort.conf is attached


Apr 25 11:52:56 gardiyan snort: SCAN Proxy attempt [Classification:
Attempted Information Leak   Priority: 3]: 212.156.199.79:64765
-> 199.105.191.134:8080
Apr 25 11:53:37 gardiyan snort: SCAN Proxy attempt [Classification:
Attempted Information Leak   Priority: 3]: 212.156.199.79:64791
-> 199.105.191.134:8080
Apr 25 11:54:58 gardiyan snort: SCAN Proxy attempt [Classification:
Attempted Information Leak   Priority: 3]: 212.156.199.79:64821
-> 199.105.191.134:8080



-- 
Togan Muftuoglu
-------------- next part --------------
#--------------------------------------------------
#   http://www.snort.org     Snort 1.8.0 Ruleset
#     Contact: snort-sigs at lists.sourceforge.net
#--------------------------------------------------
# NOTE:This ruleset only works for 1.8.0 and later
#--------------------------------------------------
# $Id: snort.conf,v 1.30 2001/04/20 03:43:51 cazz Exp $
#
###################################################
# This file contains a sample snort configuration. 
# You can take the following steps to create your 
# own custom configuration:
#
#  1) Set the network variables for your network
#  2) Configure preprocessors
#  3) Configure output plugins
#  4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect
# your local network. The variable is currently 
# setup for an RFC 1918 address space.
#
# You can specify it explicitly as: 
# var HOME_NET 10.1.1.0/24
# or use global variable $<intname>_ADDRESS which
# will be always initialized to IP address and 
# netmask of the network interface which you run
# snort at.
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
#
# var HOME_NET $eth0_ADDRESS

var HOME_NET any
# Set up the external network addresses as well.  
# A good start may be "any"...

var EXTERNAL_NET any 

# Set up your SMTP servers, or simply configure them 
# to HOME_NET 

var SMTP $HOME_NET

# Set up your web servers, or simply configure them 
# to HOME_NET
#var HTTP_SERVERS $HOME_NET

# Set up your sql servers, or simply configure them
# to HOME_NET
#var SQL_SERVERS $HOME_NET
 
# Define the addresses of DNS servers and other hosts 
# if you want to ignore portscan false alarms from them...

var DNS_SERVERS $HOME_NET $EXTERNAL_NET

###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of 
# the form
# preprocessor <name_of_processor>: <configuration_options>

# minfrag: detect small fragments
# -------------------------------
# minfrag takes the minimum fragment size (in bytes)
# threshold as its argument. Fragmented packets at of
# below this size will cause an alert to be generated.
# The functionality of this preprocessor is largely
# superceded by the defrag plugin below.

preprocessor minfrag: 128

# defrag: defragmentation support
# -------------------------------
# IP defragmentation support from Dragos Ruiu. There
# are no configuration options at this time.

preprocessor defrag

# stream/stream2: TCP stream reassembly
# -------------------------------------
# TCP stream reassembly preprocessor from Chris Cramer.  
# This preprocessor should always go after the defrag 
# preprocessor, but before application layer decoders. 
# The example below monitors ports 23 and 80, has a 
# timeout after 10 seconds, and will send reassembled 
# packets of max # payload 16384 bytes through the 
# detection engine. See # README.tcpstream for more 
# information and configuration options. Uncomment 
# the following line and configure appropriately to 
# enable this preprocessor.
#
# NOTE: This code should still be considered BETA!
# It seems to be stable, but there are still some
# issues that remain to be resolved, so make sure you
# keep an eye on your Snort sensor if you enable this plugin
# The older version which definitely had issues w/ packet
# loss is still in the code base, to use it in place of the
# new version, use "preprocessor stream: ..."

# use one or the other, not both!
#preprocessor stream: timeout 10, ports 21 23 80 110 143, maxbytes 16384
preprocessor stream2: timeout 10, ports 21 23 80 110 143, maxbytes 16384

# http_decode: normalize HTTP requests
# ------------------------------------
# http_decode normalizes HTTP requests from remote 
# machines by converting any %XX character 
# substitutions to their ASCII equivalent. This is
# very useful for doing things like defeating hostile
# attackers trying to stealth themselves from IDSs by
# mixing these substitutions in with the request. 
# Specify the port numbers you want it to analyze as arguments.
# You may also specify -nounicode to turn off detection of 
# UNICODE directory traversal, etc attacks

preprocessor http_decode: 80 -unicode -cginull

# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual
# 4-byte encoding that is used by default.  This preprocessor
# normalized RPC traffic in much the same way as the http_decode
# preprocessor.  This plugin takes the ports numbers that RPC 
# services are running on as arguments.

preprocessor rpc_decode: 111 32771 

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.  This preprocessor
# uses the Back Orifice "encryption" algorithm to search for 
# traffic conforming to the Back Orifice protocol (not BO2K).
# This preprocessor can take two arguments.  The first is "-nobrute"
# which turns off the plugin's brute forcing routine (brute forces 
# the key space of the protocol to find BO traffic).  The second
# argument that can be passed to the routine is a number to use
# as the default key when trying to decrypt the traffic.  The 
# default value is 31337 (just like BO).  Be aware that turning on
# the brute forcing option runs the risk of impacting the overall
# performance of Snort, you've been warned...

preprocessor bo: -nobrute

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from
# telnet and ftp traffic.  It works in much the same way as the 
# http_decode preprocessor, searching for traffic that breaks up
# the normal data stream of a protocol and replacing it with 
# a normalized representation of that traffic so that the "content"
# pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.

preprocessor telnet_decode

# portscan: detect a variety of portscans
# ---------------------------------------
# portscan preprocessor by Patrick Mullen <p_mullen at ...245...>
# This preprocessor detects UDP packets or TCP SYN packets going to
# four different ports in less than three seconds. "Stealth" TCP
# packets are always detected, regardless of these settings.

preprocessor portscan: $HOME_NET 4 3 portscan.log

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from
# specific networks or hosts to reduce false alerts. It is typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
preprocessor portscan-ignorehosts: $DNS_SERVERS

# Spade: the Statistical Packet Anomaly Detection Engine
#-------------------------------------------------------
#
# READ the README.Spade file before using this plugin!
#
# See http://www.silicondefense.com/spice/ for more info
#
# Spade is a Snort plugin to report unusual, possibly 
# suspicious, packets. Spade will review the packets 
# received by Snort, find those of interest (TCP SYNs 
# into your homenets, if any), and report those packets
# that it believes are anomalous along with an anomaly 
# score.  To enable spp_anomsensor, you must have a
# line of this form in your snort configuration file:
#
# preprocessor spade: <anom-report-thresh> <state-file>
# <log-file> <prob-mode> <checkpoint-freq>
#
# DO NOT ENABLE THIS PLUGIN UNLESS YOU HAVE READ THE 
# README.Spade FILE THAT COMES IN THIS DISTRIBUTION AND
# ARE COGENT OF THE PERFORMANCE IMPACT THAT THIS MODULE
# MAY HAVE UPON YOUR NORMAL SNORT CONFIGURATION!
#
# set this to a directory Spade can read and write to
# store its files
#
# var SPADEDIR .
#
# preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
#
# put a list of the networks you are interested in Spade observing packets
# going to here
#
# preprocessor spade-homenet: 0.0.0.0/0
#
# this causes Spade to adjust the reporting threshold automatically
# the first argument is the target rate of alerts for normal circumstances
# (0.01 = 1% or you can give it an hourly rate) after the first hour (or
# however long the period is set to in the second argument), the reporting
# threshold given above is ignored you can comment this out to have the
# threshold be static, or try one of the other adapt methods below
# preprocessor spade-adapt3: 0.01 60 168
#
# other possible Spade config lines:
# adapt method #1
#preprocessor spade-adapt: 20 2 0.5
# adapt method #2
#preprocessor spade-adapt2: 0.01 15 4 24 7
# offline threshold learning
#preprocessor spade-threshlearn: 200 24
# periodically report on the anom scores and count of packets seen
#preprocessor spade-survey:  $SPADEDIR/survey.txt 60
# print out known stats about packet feature
#preprocessor spade-stats: entropy uncondprob condprob


####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# Note that you can optionally define new rule types and 
# associate one or more output plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
#   type log
#   output log_tcpdump: suspicious.log
# }
#
# This example will create a rule type that will log to syslog
# and a mysql database.
# ruletype redalert
# {
#   type alert
#   output alert_syslog: LOG_AUTH LOG_ALERT
#   output database: log, mysql, user=snort dbname=snort host=localhost
# }

# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments
#
 output alert_syslog: LOG_AUTH LOG_ALERT

# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: snort.log

# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test dbname=snort17 host=localhost
# output database: log, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort

# xml: xml logging
# ----------------
# See the README.xml file for more information about configuring
# and using this plugin.
#
# output xml: log, file=/var/log/snortxml

#
# Include classification & priority settings
#

include classification.config


####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at the following web sites:
#   http://www.snort.org
#   http://www.whitehats.com
#
# The snort web site has documentation about how to 
# write your own custom snort rules.
#
# The rules included with this distribution generate alerts based on
# on suspicious activity. Depending on your network environment, your
# security policies, and what you consider to be suspicious, some of
# these rules may either generate false positives ore may be detecting
# activity you consider to be acceptable; therefore, you are
# encouraged to comment out rules that are not applicable in your
# environment.
#
# Note that using all of the rules at the same time may lead to
# serious packet loss on slower machines. YMMV, use with caution,
# standard disclaimers apply. :)
#
# The following individuals contributed many of rules in this
# distribution.
#
# Credits:
#   Ron Gula <rgula at ...922...> of Network Security Wizards
#   Max Vision <vision at ...4...>
#   Martin Markgraf <martin at ...923...>
#   CyberPsychotic <fygrave at ...121...>
#   Nick Rogness <nick at ...176...>
#   Jim Forster <jforster at ...176...>
#   Scott McIntyre <scott at ...315...>
#   Tom Vandepoel <Tom.Vandepoel at ...271...>
#   Brian Caswell <bmc at ...312...>

#=========================================
# Include all relevant rulesets here 
# by default policy and info are disabled
#=========================================
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include x11.rules
include icmp.rules
include shellcode.rules
include misc.rules
# include policy.rules
# include info.rules
# include icmp-info.rules
# include virus.rules
include local.rules


More information about the Snort-users mailing list