[Wolves] Worrying SNORT results

Old Dan wolves at mailman.lug.org.uk
Thu Feb 20 10:38:00 2003


Hello all

Hmmm.  I'm running snort here at work and I'm getting a concerning 
number of hack attempts on the server. (Log follows)  Completely 
different to when I run it at home, where there's perhaps one or two 
ICMP attacks recorded per day.  I'm especially concerned about the 
possible fragroute packets - does this mean someone's aliasing through me?

Anyone know how dangerous these attacks are?  This kind of result seems 
to have been happening daily for the last 4/5 days or so.

Dan
PS Sorry couldn't make it to the meet as I had OU Astronomy stuff to do.

The log begins from: 01 01 00:48:50
The log ends     at: 02 20 02:59:25
Total events: 48
Signatures recorded: 8
Source IP recorded: 12
Destination IP recorded: 7


The number of attacks from same host to same
destination using same method
=========================================================================
   # of
  attacks  from              to                method
=========================================================================
    13     202.131.108.141   217.34.234.217    possible EVASIVE RST 
detection
    5      217.34.234.217    216.239.33.100    TCP CHECKSUM CHANGED ON 
RETRANSMISSION (possible fragroute) detection
    5      80.5.176.144      217.34.234.217    possible EVASIVE RST 
detection
    5      217.34.234.217    216.239.37.101    TCP CHECKSUM CHANGED ON 
RETRANSMISSION (possible fragroute) detection
    3      217.34.234.217    194.73.73.90      Multiple Acked Packets 
(possible fragroute)
    3      69.3.61.61        217.34.234.217    SCAN SOCKS Proxy attempt
    2      217.34.234.217    63.88.212.82      TCP CHECKSUM CHANGED ON 
RETRANSMISSION (possible fragroute) detection
    2      217.34.234.217    194.73.73.90      TCP TOO FAST 
RETRANSMISSION WITH DIFFERENT DATA SIZE (possible fragroute) detection
    1      217.34.234.217    80.5.176.144      possible EVASIVE RST 
detection
    1      217.34.234.217    196.3.79.204      possible EVASIVE RST 
detection
    1      66.135.192.83     217.34.234.217    possible EVASIVE RST 
detection
    1      217.32.252.50     217.34.234.217    NNTP return code buffer 
overflow attempt
    1      209.61.238.216    217.34.234.217    possible EVASIVE RST 
detection
    1      210.3.60.152      217.34.234.217    ICMP PING NMAP
    1      216.239.37.101    217.34.234.217    possible EVASIVE RST 
detection
    1      133.103.74.14     217.34.234.217    RPC portmap listing
    1      216.239.33.100    217.34.234.217    possible EVASIVE RST 
detection
    1      81.77.80.138      217.34.234.217    possible EVASIVE RST 
detection


Percentage and number of attacks from a host to a
destination
============================================================
         #  of
   %    attacks   from              to
============================================================
27.08    13      202.131.108.141   217.34.234.217
10.42    5       217.34.234.217    216.239.33.100
10.42    5       217.34.234.217    194.73.73.90
10.42    5       80.5.176.144      217.34.234.217
10.42    5       217.34.234.217    216.239.37.101
  6.25    3       69.3.61.61        217.34.234.217
  4.17    2       217.34.234.217    63.88.212.82
  2.08    1       81.77.80.138      217.34.234.217
  2.08    1       209.61.238.216    217.34.234.217
  2.08    1       210.3.60.152      217.34.234.217
  2.08    1       133.103.74.14     217.34.234.217
  2.08    1       217.32.252.50     217.34.234.217
  2.08    1       217.34.234.217    196.3.79.204
  2.08    1       66.135.192.83     217.34.234.217
  2.08    1       216.239.33.100    217.34.234.217
  2.08    1       216.239.37.101    217.34.234.217
  2.08    1       217.34.234.217    80.5.176.144


Percentage and number of attacks from one host to any
with same method
==============================================================
         #  of
   %    attacks   from              method
==============================================================
27.08    13      202.131.108.141   possible EVASIVE RST detection
25.00    12      217.34.234.217    TCP CHECKSUM CHANGED ON 
RETRANSMISSION (possible fragroute) detection
10.42    5       80.5.176.144      possible EVASIVE RST detection
  6.25    3       217.34.234.217    Multiple Acked Packets (possible 
fragroute)
  6.25    3       69.3.61.61        SCAN SOCKS Proxy attempt
  4.17    2       217.34.234.217    TCP TOO FAST RETRANSMISSION WITH 
DIFFERENT DATA SIZE (possible fragroute) detection
  4.17    2       217.34.234.217    possible EVASIVE RST detection
  2.08    1       210.3.60.152      ICMP PING NMAP
  2.08    1       81.77.80.138      possible EVASIVE RST detection
  2.08    1       133.103.74.14     RPC portmap listing
  2.08    1       209.61.238.216    possible EVASIVE RST detection
  2.08    1       216.239.37.101    possible EVASIVE RST detection
  2.08    1       66.135.192.83     possible EVASIVE RST detection
  2.08    1       217.32.252.50     NNTP return code buffer overflow attempt
  2.08    1       216.239.33.100    possible EVASIVE RST detection


Percentage and number of attacks to one certain host
=================================================================
         #  of
   %    attacks   to                method
=================================================================
47.92    23      217.34.234.217   possible EVASIVE RST detection
10.42    5       216.239.37.101   TCP CHECKSUM CHANGED ON RETRANSMISSION 
(possible fragroute) detection
10.42    5       216.239.33.100   TCP CHECKSUM CHANGED ON RETRANSMISSION 
(possible fragroute) detection
  6.25    3       194.73.73.90     Multiple Acked Packets (possible 
fragroute)
  6.25    3       217.34.234.217   SCAN SOCKS Proxy attempt
  4.17    2       194.73.73.90     TCP TOO FAST RETRANSMISSION WITH 
DIFFERENT DATA SIZE (possible fragroute) detection
  4.17    2       63.88.212.82     TCP CHECKSUM CHANGED ON 
RETRANSMISSION (possible fragroute) detection
  2.08    1       80.5.176.144     possible EVASIVE RST detection
  2.08    1       217.34.234.217   RPC portmap listing
  2.08    1       217.34.234.217   ICMP PING NMAP
  2.08    1       196.3.79.204     possible EVASIVE RST detection
  2.08    1       217.34.234.217   NNTP return code buffer overflow attempt


The distribution of attack methods
===============================================
         #  of
   %    attacks   method
===============================================
52.08    25      possible EVASIVE RST detection
		 13    202.131.108.141 -> 217.34.234.217
		 5     80.5.176.144    -> 217.34.234.217
		 1     217.34.234.217  -> 80.5.176.144
		 1     217.34.234.217  -> 196.3.79.204
		 1     66.135.192.83   -> 217.34.234.217
		 1     209.61.238.216  -> 217.34.234.217
		 1     216.239.37.101  -> 217.34.234.217
		 1     216.239.33.100  -> 217.34.234.217
		 1     81.77.80.138    -> 217.34.234.217
25.00    12      TCP CHECKSUM CHANGED ON RETRANSMISSION (possible 
fragroute) detection
		 5     217.34.234.217  -> 216.239.33.100
		 5     217.34.234.217  -> 216.239.37.101
		 2     217.34.234.217  -> 63.88.212.82
  6.25    3       SCAN SOCKS Proxy attempt
		 3     69.3.61.61      -> 217.34.234.217
  6.25    3       Multiple Acked Packets (possible fragroute)
		 3     217.34.234.217  -> 194.73.73.90
  4.17    2       TCP TOO FAST RETRANSMISSION WITH DIFFERENT DATA SIZE 
(possible fragroute) detection
		 2     217.34.234.217  -> 194.73.73.90
  2.08    1       ICMP PING NMAP
		 1     210.3.60.152    -> 217.34.234.217
  2.08    1       RPC portmap listing
		 1     133.103.74.14   -> 217.34.234.217
  2.08    1       NNTP return code buffer overflow attempt
		 1     217.32.252.50   -> 217.34.234.217