[Snort-users] alert file

Alberto Gonzalez ag-snort at ...7149...
Wed Oct 23 19:53:03 EDT 2002

Zachary Uram wrote:

>How can I tell which snort alerts I should be concerned about and which
>are harmless? I was running various IDS programs but the trigger
>threshold seemed so low I was getting root mailed every 20 secs with
>some different sort of "alert" sheesh.
Actually, you should be concerned on _ALL_ alerts (for the first few 
days/weeks) until
you establish whats false (if any?) or whats truly alerts/attacks. When 
I first started, I would
research what snort gave me alerts on, learn about the attack, and to 
see if I was vulnerable.
This has helped me greatly in my journey.

>[**] [1:1256:3] WEB-IIS CodeRed v2 root.exe access [**]
>[Classification: Web Application Attack] [Priority: 1]
>05/31-08:44:22.007315 ->
>TCP TTL:113 TOS:0x0 ID:55556 IpLen:20 DgmLen:112 DF
>***AP*** Seq: 0xD9C61308  Ack: 0xF34FE080  Win: 0x4470  TcpLen: 20
>[Xref => http://www.cert.org/advisories/CA-2001-19.html]
>[**] [1:1002:2] WEB-IIS cmd.exe access [**]
>[Classification: Web Application Attack] [Priority: 1]
>05/31-08:44:23.305171 ->
>TCP TTL:113 TOS:0x0 ID:55894 IpLen:20 DgmLen:120 DF
>***AP*** Seq: 0xDA026642  Ack: 0xF3814B1A  Win: 0x4470  TcpLen: 20
These really get annoying(poor access_log), I personally (and mine is 
unix based) don't care about any IIS
attacks aimed at my network. I could careless what IIS junk they throw 
at me. You should customize your
RULESET to pertain to your network(running services, users, etc..)  No 
need to run IIS rules if your using
Apache(same goes for other stuff as well).

>[**] [1:620:1] SCAN Proxy attempt [**]
>[Classification: Attempted Information Leak] [Priority: 2]
>06/02-01:04:42.380797 ->
>TCP TTL:50 TOS:0x0 ID:4457 IpLen:20 DgmLen:60 DF
>******S* Seq: 0xB1259605  Ack: 0x0  Win: 0x16D0  TcpLen: 40
>TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0 
>[**] [1:618:1] INFO - Possible Squid Scan [**]
>[Classification: Attempted Information Leak] [Priority: 2]
>06/02-01:04:42.391610 ->
>TCP TTL:50 TOS:0x0 ID:38290 IpLen:20 DgmLen:60 DF
>******S* Seq: 0xB12412FE  Ack: 0x0  Win: 0x16D0  TcpLen: 40
>TCP Options (5) => MSS: 1460 SackOK TS: 254576492 0 NOP WS: 0 
I've seen Squid scan attempts when nmap[1] is ran at your network. Just 
doing some information gathering on your subnet. I could be wrong, just 
trying to give you
a general idea.

>[**] [100:2:1] spp_portscan: portscan status from 5
>connections across 1 hosts: TCP(5), UDP(0) [**]
Just spp_portscan letting you know whats up :-)

>[**] [1:469:1] ICMP PING NMAP [**]
>[Classification: Attempted Information Leak] [Priority: 2]
>06/21-04:04:16.206809 ->
>ICMP TTL:25 TOS:0x0 ID:39126 IpLen:20 DgmLen:28
>Type:8  Code:0  ID:32305   Seq:0  ECHO
>[Xref => http://www.whitehats.com/info/IDS162]
Pretty self explanatory.

>[**] [1:477:1] ICMP Source Quench [**]
>[Classification: Potentially Bad Traffic] [Priority: 2]
>08/24-06:36:42.576710 ->
>ICMP TTL:237 TOS:0x0 ID:12946 IpLen:20 DgmLen:56 DF
>Type:4  Code:0  SOURCE QUENCH
>[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]
>[Classification: Misc activity] [Priority: 3]
>09/28-10:12:25.898514 ->
>ICMP TTL:127 TOS:0x0 ID:59706 IpLen:20 DgmLen:60
>Type:8  Code:0  ID:49409   Seq:256  ECHO
>[Xref => http://www.whitehats.com/info/IDS154]
Can't say I've seen this before, then again,  I have everything 
pertaining to windows
turned off.. no need for 'noise'.

Hope it Helps

    - Albert

1. nmap http://www.insecure.org/nmap

The secret to success is to start from scratch and keep on scratching.

More information about the Snort-users mailing list