PS: [Snort-users] Snort Newbie
jsage at ...2022...
Sun Sep 16 09:09:03 EDT 2001
Jason Withrow wrote:
> Ok, I think that is the problem, I need to define the IP?s as External
> and Internal.
> I am guessing (Don?t laugh, I am pretty new at this) that the $EXTERNAL
> var should be my global internet NIC IP and $INTERNAL should be my
> intranet 192.168.x.x NIC?
> Also, how does one make any sense out of the packets? This looks pretty
> Greek to me.
Depending on how serious you are about learning about TCP/IP, which is
what the Internet runs on, there really is no substitute for:
"TCP/IP Illustrated, vol 1, W. Richard Stevens, Addison-Wesley"
There are other books, but this is the one I hear recommended most
often. I have the entire series, vols 1-3.
To break this down:
> [**] IDS552/web-iis_IIS ISAPI Overflow ida [**]
This is the identifier for what sort of a problem snort sees the packet
to be. See:
The classic Micro$oft Index Server ISAPI extension overflow attempt that
we have all become so familiar with, lately ;-)
> 09/16-02:55:00.611575 0:30:80:5D:7F:8C -> 0:10:B5:4:13:41 type:0x800
Date and timestamp; source hardware address -> destination hardware
address; type:0x800 indicates that this is an IP datagram
> 220.127.116.11:1198 -> 18.104.22.168:80 TCP TTL:124 TOS:0x0 ID:51642 IpLen:20
> DgmLen:1500 DF
source IP address:source port (1198) -> destination IP
address:destination port (80)
Port 80 is the standard well-known port for http/www transactions.
Just out of curiosity:
BW whois 2.9 by Bill Weinman
© 1999-2001 William E. Weinman
connecting to whois.arin.net [22.214.171.124:43] ...
MediaOne NorthEast (NET-M1-NE-4)
27 Industrial Ave.
Chelmsford, MA 01824
Netblock: 126.96.36.199 - 188.8.131.52
So this is someone (probably a Window$ box given the low port..) at
184.108.40.206 trying to connect to 220.127.116.11 (which should be you..) on
your port 80. Are you running Win 2000 or Win NT with IIS 4.0 or 5.0
Can you say "Code Red"?
> TCP TTL:124 TOS:0x0 ID:51642 IpLen:20 DgmLen:1500 DF
Anyway, to continue.. TCP - this is a TCP packet; TTL:124 - Time To
Live: how many hops the packet has left before it should be dropped by a
well-configured router; TOS:0x0 - Type Of Service: not set; ID:51642 -
an integer set by the sending host to uniquely identify the packet;
IpLen:20 - the length in bytes of the IP header (normal)
> ***A**** Seq: 0xF79A6595 Ack: 0xF0C2A391 Win: 0x4470 TcpLen: 20
TPC flags - the ACK flag is set, indicating that this packet is
responding to (ACKnowledging..) a packet you've sent (this can be
faked..); Seq: 0xF79A6595 - the TCP sequence number identifying which
packet *this* is; Ack: 0xF0C2A391 - which sequence number the other end
expects to receive *next*; Win: 0x4470 - the sending host is advertising
a receive window (packet size) of hex 4470 (decimal 17520) bytes; and,
finally, TcpLen: 20 - the TCP length of this datagram is 20 bytes
Fun stuff, huh?
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."
More information about the Snort-users