[Snort-users] http_decode questions

Bob Bernstein bob at ...1100...
Sat Jan 6 16:13:00 EST 2001


I just upgraded my OpenBSD 2.7 box to snort-1.7. I use this machine for
ipfiltering and ipnat on a little home network connected to a cable
ISP. I'm using snort.conf and the rules it includes from the 1.7
distro. 

Here's the snort.conf I used, minus the rules include lines. fxp0 is
the interface connected to the cable modem; I have a static route set
on the cable connection.


var HOME_NET $fxp0_ADDRESS
var EXTERNAL_NET any
preprocessor defrag
preprocessor http_decode: 80 8080
preprocessor portscan: $HOME_NET 4 3 portscan.log
output log_tcpdump: snort.log


First question: should I reverse HOME_NET and EXTERNAL_NET in the
above? My local network, connected to another nic on the obsd box, is
an ordinary 192.168.1.0/24 affair.

With the above in place I get a _lot_ of these in my alert file:

01/05-21:17:19.856869  [**] spp_http_decode: IIS Unicode attack
detected [**] nn.n.nnn.nnn:60019 -> 205.188.245.116:80
01/05-21:17:19.856869  [**] spp_http_decode: IIS Unicode attack
detected [**] nn.n.nnn.nnn:60019 -> 205.188.245.116:80
01/05-21:17:19.976385  [**] spp_http_decode: IIS Unicode attack
detected [**] nn.n.nnn.nnn:60020 -> 205.188.245.116:80
01/05-21:17:19.976385  [**] spp_http_decode: IIS Unicode attack
detected [**] nn.n.nnn.nnn:60020 -> 205.188.245.116:80
01/05-21:17:20.109443  [**] spp_http_decode: IIS Unicode attack
detected [**] nn.n.nnn.nnn:60022 -> 205.188.245.116:80

where nn.n.nnn.nnn is the IP of my cable modem. These are apparently
requests for port 80 service from one of the machines on my local net
that is running a browser; the high port number suggests that it is an
ipnat'ed connection, yes? But, 205.188.245.116 does not resolve; a 'dig
-x 205.188.245.116' shows 205.188.245 as having a SOA in an AOL DNS
host. Hmmm.... 

Next question: why is ordinary browser use spawning those alerts? 

Final question <g>: Why would one of my browsers be seeking service
from that weird IP? I'm *certainly* not an AOL customer!

tia for any light shed on these conundrums...

-- 
Bob Bernstein
at	     
Esmond, R.I., USA 

 
                                                






More information about the Snort-users mailing list