[Snort-users] Need help with Sneeze

Peggy Kam ppkam at ...11126...
Mon Feb 9 07:47:07 EST 2004


Hi,

I believe that I was able to get sneeze running properly.  ie. when I 
tried running the following command on 192.168.22.205:
./sneeze.pl -d 192.168.22.205 -f /prod/etc/snort/dos.rules  -s 
192.168.22.123 -i eth0

it generates the following:
ATTACK:
:45068 -> 192.168.22.205:64238

ATTACK: DOS Jolt attack
ATTACK TYPE: attempted-dos
ip :28282 -> 192.168.22.205:25713
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0345

ATTACK: DOS Teardrop attack
ATTACK TYPE: attempted-dos
udp :41624 -> 192.168.22.205:1658
Reference => http://www.securityfocus.com/bid/124
Reference => http://www.cert.org/advisories/CA-1997-28.html
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0015

ATTACK: DOS UDP echo+chargen bomb
ATTACK TYPE: attempted-dos
udp :19 -> 192.168.22.205:7
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0103
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0635

ATTACK: DOS IGMP dos attack
ATTACK TYPE: attempted-dos
ip :46144 -> 192.168.22.205:35580
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0918

ATTACK: DOS IGMP dos attack
ATTACK TYPE: attempted-dos
ip :38226 -> 192.168.22.205:53283
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0918

ATTACK: DOS ath
ATTACK TYPE: attempted-dos
icmp :45358 -> 192.168.22.205:55818
Reference => http://www.whitehats.com/info/IDS264
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1228

ATTACK: DOS NAPTHA
ATTACK TYPE: attempted-dos
tcp :33887 -> 192.168.22.205:24469
Reference => http://www.securityfocus.com/bid/2022
Reference => http://razor.bindview.com/publish/advisories/adv_NAPTHA.html
Reference => http://www.cert.org/advisories/CA-2000-21.html
Reference => http://www.microsoft.com/technet/security/bulletin/MS00-091.asp
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1039

ATTACK: DOS Real Audio Server
ATTACK TYPE: attempted-dos
tcp :49921 -> 192.168.22.205:7070
Reference => http://www.whitehats.com/info/IDS411
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474
Reference => http://www.securityfocus.com/bid/1288

ATTACK: DOS Real Server template.html
ATTACK TYPE: attempted-dos
tcp :41169 -> 192.168.22.205:7070
Reference => http://www.securityfocus.com/bid/1288
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474

ATTACK: DOS Real Server template.html
ATTACK TYPE: attempted-dos
tcp :3084 -> 192.168.22.205:8080
Reference => http://www.securityfocus.com/bid/1288
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474

ATTACK: DOS Bay/Nortel Nautica Marlin
ATTACK TYPE: attempted-dos
udp :55377 -> 192.168.22.205:161
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0221
Reference => http://www.securityfocus.com/bid/1009

ATTACK: DOS Ascend Route
ATTACK TYPE: attempted-dos
udp :13038 -> 192.168.22.205:9
Reference => http://www.whitehats.com/info/IDS262
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0060
Reference => http://www.securityfocus.com/bid/714

ATTACK: DOS arkiea backup
ATTACK TYPE: attempted-dos
tcp :7017 -> 192.168.22.205:617
Reference => http://www.whitehats.com/info/IDS261
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0788
Reference => http://www.securityfocus.com/bid/662

ATTACK: DOS Winnuke attack
ATTACK TYPE: attempted-dos
tcp :31843 -> 192.168.22.205:135:139
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0153
Reference => http://www.securityfocus.com/bid/2010

ATTACK: DOS MSDTC attempt
ATTACK TYPE: attempted-dos
tcp :14970 -> 192.168.22.205:3372
Reference => http://www.securityfocus.com/bid/4006

ATTACK: DOS iParty DOS attempt
ATTACK TYPE: misc-attack
tcp :18936 -> 192.168.22.205:6004
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1566

ATTACK: DOS DB2 dos attempt
ATTACK TYPE: denial-of-service
tcp :24671 -> 192.168.22.205:6789:6790

ATTACK: DOS Cisco attempt
ATTACK TYPE: web-application-attack
tcp :65150 -> 192.168.22.205:80



However, I do not see any alerts generated in the alert file.  and when 
run tcpdump -i eth0, no packets were seen.

Am I missing something?

Thanks in advance,
Peggy







More information about the Snort-users mailing list