[Wolves] Worrying SNORT results
Old Dan
wolves at mailman.lug.org.uk
Thu Feb 20 10:38:00 2003
Hello all
Hmmm. I'm running snort here at work and I'm getting a concerning
number of hack attempts on the server. (Log follows) Completely
different to when I run it at home, where there's perhaps one or two
ICMP attacks recorded per day. I'm especially concerned about the
possible fragroute packets - does this mean someone's aliasing through me?
Anyone know how dangerous these attacks are? This kind of result seems
to have been happening daily for the last 4/5 days or so.
Dan
PS Sorry couldn't make it to the meet as I had OU Astronomy stuff to do.
The log begins from: 01 01 00:48:50
The log ends at: 02 20 02:59:25
Total events: 48
Signatures recorded: 8
Source IP recorded: 12
Destination IP recorded: 7
The number of attacks from same host to same
destination using same method
=========================================================================
# of
attacks from to method
=========================================================================
13 202.131.108.141 217.34.234.217 possible EVASIVE RST
detection
5 217.34.234.217 216.239.33.100 TCP CHECKSUM CHANGED ON
RETRANSMISSION (possible fragroute) detection
5 80.5.176.144 217.34.234.217 possible EVASIVE RST
detection
5 217.34.234.217 216.239.37.101 TCP CHECKSUM CHANGED ON
RETRANSMISSION (possible fragroute) detection
3 217.34.234.217 194.73.73.90 Multiple Acked Packets
(possible fragroute)
3 69.3.61.61 217.34.234.217 SCAN SOCKS Proxy attempt
2 217.34.234.217 63.88.212.82 TCP CHECKSUM CHANGED ON
RETRANSMISSION (possible fragroute) detection
2 217.34.234.217 194.73.73.90 TCP TOO FAST
RETRANSMISSION WITH DIFFERENT DATA SIZE (possible fragroute) detection
1 217.34.234.217 80.5.176.144 possible EVASIVE RST
detection
1 217.34.234.217 196.3.79.204 possible EVASIVE RST
detection
1 66.135.192.83 217.34.234.217 possible EVASIVE RST
detection
1 217.32.252.50 217.34.234.217 NNTP return code buffer
overflow attempt
1 209.61.238.216 217.34.234.217 possible EVASIVE RST
detection
1 210.3.60.152 217.34.234.217 ICMP PING NMAP
1 216.239.37.101 217.34.234.217 possible EVASIVE RST
detection
1 133.103.74.14 217.34.234.217 RPC portmap listing
1 216.239.33.100 217.34.234.217 possible EVASIVE RST
detection
1 81.77.80.138 217.34.234.217 possible EVASIVE RST
detection
Percentage and number of attacks from a host to a
destination
============================================================
# of
% attacks from to
============================================================
27.08 13 202.131.108.141 217.34.234.217
10.42 5 217.34.234.217 216.239.33.100
10.42 5 217.34.234.217 194.73.73.90
10.42 5 80.5.176.144 217.34.234.217
10.42 5 217.34.234.217 216.239.37.101
6.25 3 69.3.61.61 217.34.234.217
4.17 2 217.34.234.217 63.88.212.82
2.08 1 81.77.80.138 217.34.234.217
2.08 1 209.61.238.216 217.34.234.217
2.08 1 210.3.60.152 217.34.234.217
2.08 1 133.103.74.14 217.34.234.217
2.08 1 217.32.252.50 217.34.234.217
2.08 1 217.34.234.217 196.3.79.204
2.08 1 66.135.192.83 217.34.234.217
2.08 1 216.239.33.100 217.34.234.217
2.08 1 216.239.37.101 217.34.234.217
2.08 1 217.34.234.217 80.5.176.144
Percentage and number of attacks from one host to any
with same method
==============================================================
# of
% attacks from method
==============================================================
27.08 13 202.131.108.141 possible EVASIVE RST detection
25.00 12 217.34.234.217 TCP CHECKSUM CHANGED ON
RETRANSMISSION (possible fragroute) detection
10.42 5 80.5.176.144 possible EVASIVE RST detection
6.25 3 217.34.234.217 Multiple Acked Packets (possible
fragroute)
6.25 3 69.3.61.61 SCAN SOCKS Proxy attempt
4.17 2 217.34.234.217 TCP TOO FAST RETRANSMISSION WITH
DIFFERENT DATA SIZE (possible fragroute) detection
4.17 2 217.34.234.217 possible EVASIVE RST detection
2.08 1 210.3.60.152 ICMP PING NMAP
2.08 1 81.77.80.138 possible EVASIVE RST detection
2.08 1 133.103.74.14 RPC portmap listing
2.08 1 209.61.238.216 possible EVASIVE RST detection
2.08 1 216.239.37.101 possible EVASIVE RST detection
2.08 1 66.135.192.83 possible EVASIVE RST detection
2.08 1 217.32.252.50 NNTP return code buffer overflow attempt
2.08 1 216.239.33.100 possible EVASIVE RST detection
Percentage and number of attacks to one certain host
=================================================================
# of
% attacks to method
=================================================================
47.92 23 217.34.234.217 possible EVASIVE RST detection
10.42 5 216.239.37.101 TCP CHECKSUM CHANGED ON RETRANSMISSION
(possible fragroute) detection
10.42 5 216.239.33.100 TCP CHECKSUM CHANGED ON RETRANSMISSION
(possible fragroute) detection
6.25 3 194.73.73.90 Multiple Acked Packets (possible
fragroute)
6.25 3 217.34.234.217 SCAN SOCKS Proxy attempt
4.17 2 194.73.73.90 TCP TOO FAST RETRANSMISSION WITH
DIFFERENT DATA SIZE (possible fragroute) detection
4.17 2 63.88.212.82 TCP CHECKSUM CHANGED ON
RETRANSMISSION (possible fragroute) detection
2.08 1 80.5.176.144 possible EVASIVE RST detection
2.08 1 217.34.234.217 RPC portmap listing
2.08 1 217.34.234.217 ICMP PING NMAP
2.08 1 196.3.79.204 possible EVASIVE RST detection
2.08 1 217.34.234.217 NNTP return code buffer overflow attempt
The distribution of attack methods
===============================================
# of
% attacks method
===============================================
52.08 25 possible EVASIVE RST detection
13 202.131.108.141 -> 217.34.234.217
5 80.5.176.144 -> 217.34.234.217
1 217.34.234.217 -> 80.5.176.144
1 217.34.234.217 -> 196.3.79.204
1 66.135.192.83 -> 217.34.234.217
1 209.61.238.216 -> 217.34.234.217
1 216.239.37.101 -> 217.34.234.217
1 216.239.33.100 -> 217.34.234.217
1 81.77.80.138 -> 217.34.234.217
25.00 12 TCP CHECKSUM CHANGED ON RETRANSMISSION (possible
fragroute) detection
5 217.34.234.217 -> 216.239.33.100
5 217.34.234.217 -> 216.239.37.101
2 217.34.234.217 -> 63.88.212.82
6.25 3 SCAN SOCKS Proxy attempt
3 69.3.61.61 -> 217.34.234.217
6.25 3 Multiple Acked Packets (possible fragroute)
3 217.34.234.217 -> 194.73.73.90
4.17 2 TCP TOO FAST RETRANSMISSION WITH DIFFERENT DATA SIZE
(possible fragroute) detection
2 217.34.234.217 -> 194.73.73.90
2.08 1 ICMP PING NMAP
1 210.3.60.152 -> 217.34.234.217
2.08 1 RPC portmap listing
1 133.103.74.14 -> 217.34.234.217
2.08 1 NNTP return code buffer overflow attempt
1 217.32.252.50 -> 217.34.234.217