[Snort-users] Newbie Questions

James Sinnamon frodo000 at ...368...
Sun Jul 11 00:23:02 EDT 2004


Dear snorters,

1. Where to find information regarding records in 'alert' log files?
--------------------------------------------------------------------------------------------

I noticed, by chance, an attempted IIS attack against my apache webserver, 
when I was watching the httpd log files.  (I was advised by someone on 
the debian-firewall mailing list that it looked like an IIS attack.)  

The snort alert file showed two records which closely match the attack:

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
07/10-11:32:45.770453 xxx.xxx.xxx.xxx:2291 -> xxx.xxx.xxx.xxx:80
TCP TTL:120 TOS:0x0 ID:25375 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xACEA38FD  Ack: 0x79BE56AF  Win: 0x4470  TcpLen: 20

[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]
07/10-11:32:45.861390 xxx.xxx.xxx.xxx:2291 -> xxx.xxx.xxx.xxx:80
TCP TTL:120 TOS:0x0 ID:25376 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xACEA3EB1  Ack: 0x79BE56AF  Win: 0x4470  TcpLen: 20

Where can I find more information about these alerts?  Is there a snort ID
somewhere in these records, or something else which I can use in a query of
http://www.snort.org/snort-db/

2. 'OVERSIZE CHUNK ENCODING' alert
-------------------------------------------------------
I would also like to understand the significance of another other kind
of record:

[**] [119:16:1] (http_inspect) OVERSIZE CHUNK ENCODING [**]
07/11-16:25:57.693323 144.132.250.188:33903 -> 202.139.232.71:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1290
***AP*** Seq: 0xEE4A9389  Ack: 0x8D7C522A  Win: 0x3F8E  TcpLen: 20

... from my incomplete understanding, it seems to be originating from 
my own server (144.132.250.188), so I am not sure what to make of
it, but if someone could point me towards the documentation I would 
be greatly obliged.

3. No need for alarm, yet?
----------------------------------------
I have open listening ports for ssh, https, smtp and icmp (ping) as well 
well as http.  I have used all the rules (except a few obviously 
inapplicable ones) supplied with my Debian (testing) package.

When I grep'd the (unzipped) alert.* logs, I only found alerts relating
to 80/http (using 'grep " - > " alert* | grep ":25$" for example), so 
can I assume that no-one out there has so far attempted to attack these 
other ports with any form of attack already known to snort?

4. Rules not necesary for firewall blocked ports?
------------------------------------------------------------------

Can someone confirm: I only need use rules relating to unblocked ports,
so there is no reason to use rules related to, as examples, pop3, imap,
squid and postgresql, until I decide to run these services and unblock 
their listening ports?

Does the use of redundant rules (if they are redundant) incur a 
signficant cost in performance?

TIA,

James

-- 
James Sinnamon
frodo000 at ...12095... net au 
+61 412 319669, +61 2 95692123
(aka jaymz-.a.t.-bigpond-net-auStralia)




More information about the Snort-users mailing list