[Snort-users] Suggested directions for inverstigation??

Mike Kelley mikek at ...12706...
Tue Nov 23 22:24:42 EST 2004


I just brought up my snort\acid\mysql box.

 

I have a situation where I am seeing hundreds of alerts with the same
source IP and the same destination IP; it seems to be getting hit by 3
alert signatures, these alerts are climbing the ports on the source but
all point back to the destination on port 80.

 

The alerts are 

 

(http_inspect) APACHE WHITESPACE (TAB)   

(http_inspect) BARE BYTE UNICODE ENCODING   

(http_inspect) NON-RFC HTTP DELIMITER

 

Since I'm seeing the ports increment numerically (most of the time,
sometimes there are gaps of 2-10 ports) I'm under the impression I'm
getting port scanned on the source box (internal IP on corp network) by
the destination (public IP).

 

Would anyone (please) point me in the next direction on investigating
what is going on and what to do. My team and I can "big hammer" the
situation by formatting the destination and securing the firewall
implicitly on the source IP, but what I'm hoping to find out is what
would those of you with years of working these incidents do?

 

Here is the ARIN whois on the source IP

**SNIP** 

Server Used: [ whois.arin.net ]

66.182.90.242
<http://www.samspade.org/t/whois?a=66.182.90.242;server=auto>  = [
cust-66-182-90-242.bbsc.net
<http://www.samspade.org/t/whois?a=cust-66-182-90-242.bbsc.net;server=au
to>  ] 

 
  OrgName:    BroadBand Solutions America 
  OrgID:      BSA-26 
  Address:    630 West 9560 South Suite A 
  City:       Sandy 
  StateProv:  UT 
  PostalCode: 84070 
  Country:    US 
  NetRange:   66.182.64.0
<http://www.samspade.org/t/whois?a=66.182.64.0;server=auto>  -
66.182.95.255
<http://www.samspade.org/t/whois?a=66.182.95.255;server=auto>  
  CIDR:       66.182.64.0/19 
  NetName:    BBSC-NET 
  NetHandle:   NET-66-182-64-0-1
<http://www.samspade.org/t/whois?a=NET-66-182-64-0-1;server=whois.arin.n
et>  
  Parent:     NET-66-0-0-0-0 
  NetType:    Direct Allocation 
  NameServer: NS1.BBSC.NET
<http://www.samspade.org/t/whois?a=NS1.BBSC.NET;server=auto>  
  NameServer: NS4.BBSC.NET
<http://www.samspade.org/t/whois?a=NS4.BBSC.NET;server=auto>  

 

**SNIP**

 

Thanks in advance to any and all suggestions (tell me which ones to read
and I'll RTFM!!!)

Mike 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041123/1b389377/attachment.html>


More information about the Snort-users mailing list