[Snort-users] Suggested directions for inverstigation??
mikek at ...12706...
Tue Nov 23 22:24:42 EST 2004
I just brought up my snort\acid\mysql box.
I have a situation where I am seeing hundreds of alerts with the same
source IP and the same destination IP; it seems to be getting hit by 3
alert signatures, these alerts are climbing the ports on the source but
all point back to the destination on port 80.
The alerts are
(http_inspect) APACHE WHITESPACE (TAB)
(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) NON-RFC HTTP DELIMITER
Since I'm seeing the ports increment numerically (most of the time,
sometimes there are gaps of 2-10 ports) I'm under the impression I'm
getting port scanned on the source box (internal IP on corp network) by
the destination (public IP).
Would anyone (please) point me in the next direction on investigating
what is going on and what to do. My team and I can "big hammer" the
situation by formatting the destination and securing the firewall
implicitly on the source IP, but what I'm hoping to find out is what
would those of you with years of working these incidents do?
Here is the ARIN whois on the source IP
Server Used: [ whois.arin.net ]
<http://www.samspade.org/t/whois?a=220.127.116.11;server=auto> = [
OrgName: BroadBand Solutions America
Address: 630 West 9560 South Suite A
NetType: Direct Allocation
Thanks in advance to any and all suggestions (tell me which ones to read
and I'll RTFM!!!)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users