[Snort-users] My Snort IDS Sensor Detected Nessus Vulnerability Scan

Teo En Ming teo.en.ming at ...11827...
Fri Apr 18 15:24:17 EDT 2014


Hi,

My Snort IDS sensor detected nessus vulnerability scan. The nessus
vulnerability scan was launched from WAN outside of HOME_NET. However, the
alerts generated were few. It seems that Snort rules are not comprehensive
enough.

Here are the alerts:

04/19-02:54:23.361505  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin
interface access attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 171.207.15.38:50619 -> 192.168.1.146:80
04/19-02:54:24.940222  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin
interface access attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 171.207.15.38:50631 -> 192.168.1.147:80
04/19-02:56:13.080227  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin
interface access attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 171.207.15.38:53504 -> 192.168.1.146:80
04/19-02:56:19.700298  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin
interface access attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 171.207.15.38:53644 -> 192.168.1.147:80
04/19-02:56:50.601653  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin
interface access attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 171.207.15.38:54289 -> 192.168.1.146:80
04/19-02:56:52.220320  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin
interface access attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 171.207.15.38:54304 -> 192.168.1.147:80
04/19-02:57:02.961654  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin
interface access attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 171.207.15.38:54605 -> 192.168.1.146:80
04/19-02:57:04.180442  [**] [1:25975:2] POLICY-OTHER Adobe ColdFusion admin
interface access attempt [**] [Classification: Potential Corporate Privacy
Violation] [Priority: 1] {TCP} 171.207.15.38:54615 -> 192.168.1.147:80
04/19-02:57:21.921667  [**] [1:22063:9] SERVER-WEBAPP PHP-CGI remote file
include attempt [**] [Classification: Attempted Administrator Privilege
Gain] [Priority: 1] {TCP} 171.207.15.38:55062 -> 192.168.1.146:80
04/19-02:57:23.962694  [**] [1:22063:9] SERVER-WEBAPP PHP-CGI remote file
include attempt [**] [Classification: Attempted Administrator Privilege
Gain] [Priority: 1] {TCP} 171.207.15.38:55145 -> 192.168.1.147:80

Please note that Snort cannot detect nmap scan.

Thank you.

Regards,

Teo En Ming
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140419/33d9bea5/attachment.html>


More information about the Snort-users mailing list