[Snort-users] Snort detecting attacks...

Craig Woods res06ztt at ...1127...
Sun May 20 23:51:12 EDT 2001


Hello all,

I am new to the list but thought I might jump out here, and see what I
might learn. I am running Linux with the 2.2.17 kernal. I have a
multi-homed system (2 NICS) with an internal network , and this server
is also the gateway to the internet for all machines on private network.
I have set up rules for IPCHAINS and IPMASQ, and these serve as my
firewall. I have logging in syslog for attempts at most kinds of
intrusion. But.....

I have recently installed snort, and I am now seeing a lot more logging
in "/var/log/snort" Could someone tell me what the following two log
inputs indicate:

1) "MISC-WinGate-1080-Attempt:" 
2) "CGI Null Byte attack detected:"
  
(I am not running a HTTP Server on the external NIC)

These alerts are being logged by snort, and are coming from two
different IP_ADDR's, 64.156.150.92 for the first attack, and
216.142.229.194 for the second attack. Am I in danger of being hacked,
and, if so, what can be done about it? Any help and/or a pointing in the
right direction would be most appreciated.

Thanks,
Craig




More information about the Snort-users mailing list