[Snort-users] MISC IP Reserved bit set

Frontgate Lab mdiwan at ...200...
Fri Oct 12 08:03:05 EDT 2001


Hiya .. errm.. i think this is bad... i belive it is nimda:

Oct 11 11:48:35 fglab snort[4483]: [1:1284:3] WEB-MISC readme.eml
attempt [Classification: Attempted User Privilege Gain] [Priority: 8]:
{TCP} 151.196.107.166:80 -> 192.168.150.203:35434

nslookup results:

 nslookup 151.196.107.166
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server:		207.150.196.199
Address:	207.150.196.199#53

Non-authoritative answer:
166.107.196.151.in-addr.arpa	name = snort.sourcefire.com.

Authoritative answers can be found from:
166.107.196.151.in-addr.arpa	nameserver = ns1.sourcefire.com.
166.107.196.151.in-addr.arpa	nameserver = ns2.sourcefire.com.
ns1.sourcefire.com	internet address = 151.196.107.164
ns2.sourcefire.com	internet address = 151.196.107.165


good thing i use a linux workstation :)


of course the source address could be spoofed but .. 
i kinda dont think so as i have this :

[root at ...3795... /root]# cat /proc/sys/net/ipv4/conf/*/rp_filter
1
0
0
0


Could you guys help and tell me me if im way off mark or on the money..
and if this is legitimate.. also .. is my spoof blocking working? 

I have the following code from Bob Toxen on my workstation which is
behind a linux firewall that does masquerading out:

#!/bin/sh
# Turn on Source Address Verification on all interfaces
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
	echo -n "Enabling IP spoofing blocking..."
	for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
		echo 1 > $f
	done
	echo "done."
else
	echo "ERROR: CANNOT SET UP IP SPOOF BLOCKING!  HELP!"
	sleep 30
fi

[root at ...3795... /root]# snort -V

-*> Snort! <*-
Version 1.8.1-current (Build 79)
By Martin Roesch (roesch at ...1935..., www.snort.org)

[root at ...3795... /root]# rpm -q MySQL
MySQL-3.23.43-1

[root at ...3795... /root]# rpm -q MySQL-Max
MySQL-Max-3.23.43-1
 

ps ax | grep snort
 4483 ?        S      0:28 snort -D -s -c /etc/snort/snort.conf -l
/var/log/snor
15562 pts/3    S      0:00 grep snort


Thank you.

 by the way SNORT rules!!

 Madhav Diwan


PS .. how do i figure out why the snort alerts are not getting into my
mysql database even when i have the following line in the snort.conf?

# database: log to a variety of databases
# See the README.database file for more information about configuring
 output database: log, mysql, user=user dbname=snort host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, unixodbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# as databases or the network can now be avoided.  
# and a mysql database.
#   output database: log, mysql, user=snort dbname=snort host=localhost

when i do a process listing in mysql it seems that snort  is no longer
logged in from localhost after some time elapses. 

Also has anyone figured out how to get portscans into the database?


A lot of Questions.. Sorry guys.. thats the price you pay for having a
support list :)








> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list
> 
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>


Note: The information contained in this message may be privileged and confidential and protected from disclosure.  If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.  Thank you.  Wagner Weber & Williams




More information about the Snort-users mailing list