[Snort-users] My Webservers Are Showing Up In My Alerts

Vadim Pushkin wiskbroom at ...125...
Thu Jun 13 17:26:18 EDT 2002


I already did that, in fact I have this instead:

alert tcp $EXTERNAL_NET any -> !$HTTP_SERVERS 8080 (msg:"SCAN Proxy \(8080\) 
attempt"; flags:S; classtype:attempted-recon; sid:620; rev:2;)

The problem is that these are ALSO my proxy servers running
Squid. As such, they are the spring broard into "other" peoples
webservers. Because of this I get alot of WEB-cgi calendar,
WEB-IIS scripts, etc to these machines. Should I add a "!"
into ALL of my rules? I hope not :-)

Thanks again,

Vad

>From: matt <mkettler at ...4108...>
>To: "Vadim Pushkin" <wiskbroom at ...125...>, 
>snort-users at lists.sourceforge.net
>Subject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts
>Date: Thu, 13 Jun 2002 18:38:18 -0400
>
>Ahh you're probably getting "SCAN Proxy Attempt" alerts, since port
>8080  (along with 1080) often used for socks proxy servers.
>
>Snort's default ruleset assumes any attempt to connect to port 8080 is
>someone scanning for proxy servers to abuse.
>
>go into scan.rules and comment out this rule:
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy
>attempt";flags:S; classtype:attempted-recon; sid:620; rev:1;)
>
>and that should quiet your alerts.
>
>At 10:26 PM 6/13/2002 +0000, Vadim Pushkin wrote:
>>Hi and thank you,
>>
>>They are merely access to my port 8080, not breakins at
>>all. Perhaps they are percived this way due to my port
>>change? I do not know. My servers listen on port 8080
>>and the users are legit, mostly internal.
>>
>>
>>Vadim
>>
>>
>>>From: Matt Kettler <mkettler at ...4108...>
>>>To: "Vadim Pushkin" <wiskbroom at ...125...>,
>>>snort-users at lists.sourceforge.net
>>>Subject: Re: [Snort-users] My Webservers Are Showing Up In My Alerts
>>>Date: Thu, 13 Jun 2002 17:34:34 -0400
>>>
>>>Well, that's not surprising.. A lot of the alerts you see are likely to
>>>things like codered, IIS cmd.exe and other such things, directory
>>>traversals, etc.
>>>
>>>These usually represent actual attack attempt on your webserver. It is
>>>usually being done by a virus or an automated tool. It's not uncommon for 
>>>a
>>>webserver to see dozens of these a day. The net is a brutal place, and 
>>>it's
>>>not uncommon to see a network block have exploit attempts hundreds of 
>>>times
>>>per day. Particularly if snort is watching unfiltered traffic in front of
>>>your firewall.
>>>
>>>My best recommendation is that if the alerts bother you, and you KNOW 
>>>that
>>>your webserver cannot possibly be vulnerable, comment out the rule in the
>>>.rules file. (for example, if all your webservers are BSD or Linux Apache
>>>webservers it's pretty safe to comment out the cmd.exe rule).
>>>
>>>It is important to note however that they aren't false alerts, they are
>>>usually genuine attempts to penetrate your webserver to run malicious 
>>>code.
>>>Snort takes the stand of having alerts for attempts, even if they were 
>>>not
>>>successful, because most events that do result in a real compromise are
>>>"noisy" in that they have a lot of failed attempts preceding the one that
>>>succeeded.
>>>
>>>At 07:18 PM 6/13/2002 +0000, Vadim Pushkin wrote:
>>>>Greetings Fellowes;
>>>>
>>>>My snort.conf has the following entries:
>>>>
>>>>var HTTP_SERVERS
>>>>[192.168.11.41/32,192.168.11.42/32,192.168.11.43/32,192.168.11.44/32]
>>>>
>>>># Above is all on one line
>>>>
>>>>var HTTP_SERVERS_PORT 8080
>>>>
>>>>Several of my rules have port 80 replaced with $HTTP_SERVERS_PORT.
>>>>
>>>>I am getting ALOT of alerts for these as either source or dest.
>>>>How can I prevent this?
>>>>
>>>>Thank you kindly,
>>>>
>>>>-vadim
>>>>Vadim (Ukranian Stallion) Pushkin
>>>>
>>>>
>>>>_________________________________________________________________
>>>>Chat with friends online, try MSN Messenger: http://messenger.msn.com
>>>>
>>>>
>>>>_______________________________________________________________
>>>>
>>>>Don't miss the 2002 Sprint PCS Application Developer's Conference
>>>>August 25-28 in Las Vegas -
>>>>http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
>>>>
>>>>_______________________________________________
>>>>Snort-users mailing list
>>>>Snort-users at lists.sourceforge.net
>>>>Go to this URL to change user options or unsubscribe:
>>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>Snort-users list archive:
>>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>
>>-vadim
>>Vadim (Ukranian Stallion) Pushkin
>>
>>
>>_________________________________________________________________
>>Send and receive Hotmail on your mobile device: http://mobile.msn.com
>




-vadim
Vadim (Ukranian Stallion) Pushkin


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.





More information about the Snort-users mailing list