[Wolves] Worrying SNORT results

fizzy wolves at mailman.lug.org.uk
Thu Feb 20 12:47:00 2003


>I'm especially concerned about the 
> possible fragroute packets - does this mean
> someone's aliasing through me?
Aliasing through you? If it really is fragroute, then
someone is trying to hide something from you, probably
an attack on one of your machines.  We can't know if
this attack has been sucessfull or not.
 
> Anyone know how dangerous these attacks are?  This
> kind of result seems  to have been happening daily 
> for the last 4/5 days or so.

Depends, if they are hiding some leet 0-day that has
0wned your boxes, they are very dangerous, if someone
is hiding a crappy statd attempt that is failing, they
are not very.

I would suggest that you get hogwash or similar to
drop all suspected fragroute packets and see if
anything breaks! If you say you are getting them
regually and not just a one off thing then that might
suggest that the attack is failing, hence them trying
again. Drop all suspected fragroute packets and keep
monitoring the situation from there...

Also check your tripwire database and see if anything
suspicious has changed...

fizz

__________________________________________________
Do You Yahoo!?
Everything you'll ever need on one web page
from News and Sport to Email and Music Charts
http://uk.my.yahoo.com