[Snort-users] how to handle this problem

AJ Butcher, Information Systems and Computing Alex.Butcher at ...11254...
Thu May 20 06:56:03 EDT 2004


--On 20 May 2004 14:54 +0200 derk van de Velde <derk at ...11777...> wrote:

> hi,
>
> if found this in met authlog from snort
>
> May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront
> arbitrary command execution attempt [Classification: Web Application
> Attack] [Priority: 1]: {TCP} 10.0.3.128:4978 -> 207.46.130.110:80
> May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront
> arbitrary command execution attempt [Classification: Web Application
> Attack] [Priority: 1]: {TCP} 10.0.3.128:4979 -> 207.46.130.110:80
>
> snortalog said high
>
> when i check the 2307 sid on snort.org, it is not clear to me how t handle
> this.

1) Check who the target machine (207.46.130.110) belongs to. According to 
WHOIS, it's Hotmail, so /if/ this /is/ a real attack, it's one of your 
users  (I assume, from the 10.0.0.0/8 address) attacking Hotmail.

2) Verify whether the target machine is using PayPal Storefront. I would 
suggest "probably not".

3) Examine the payload of the packets that triggered the alert and compare 
with the rule to determine whether the rule might be a bit too dumb, and 
could be triggered by innocuous traffic (e.g. email, web pages, image 
files).

> what steps should i take

If this is a real attack (I would guess not), the rest depends on your 
organisation's policy for dealing with misuse of its computer systems and 
networks. This is almost certainly a legal, rather than a technical matter.

> regards,
> derk

HTH,
Alex.
-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9






More information about the Snort-users mailing list