[Snort-users] RE: Snort within Astaro Secure Linux

doug doug at ...13122...
Thu Mar 3 05:08:35 EST 2005


It appears that my firewall has been compromised.  I wanted to verify
this with folks more familiar with snort.

The logs are at the bottom of this message.
It appears that an attack was initiated from 208.254.45.206 and
succeeded in compromising my firewall within seven minutes, then
continued the attack from the firewall itself.

Can someone help me out with this?
This would be a serious compromised of a well respected firewall.
I'm very much interested in getting to the bottom of this.

Regards,

~Doug

Local logfile query 	Query term:  	DOS 	 	Time span:
2005-03-01 -> 2005-03-02
Intrusion Protection System
2005:03:01-12:32:10 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:13 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:19 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:31 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:55 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:33:43 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:00 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:01 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:02 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:06 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:12 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:26 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:53 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt
[Classification: Attempted Denial of Service] [Priority: 2]: <(null)>
{PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372





More information about the Snort-users mailing list