[Wolves] Worrying SNORT results
stuart.beeson
wolves at mailman.lug.org.uk
Thu Feb 20 13:32:00 2003
Ummm
most of the ip addresses resolve to either BTOPENWORLD or Google ....=20
i will look into this further=20
Stu
z--- Original Message ---
From: Old Dan <dan@dannyboy.dnsalias.org>
To: wolves@mailman.lug.org.uk
Subject: [Wolves] Worrying SNORT results
Date: Thu, 20 Feb 2003 10:52h
Hello all
Hmmm. I'm running snort here at work and I'm getting a concerning=20
number of hack attempts on the server. (Log follows) Completely=20
different to when I run it at home, where there's perhaps one or two=20
ICMP attacks recorded per day. I'm especially concerned about the=20
possible fragroute packets - does this mean someone's aliasing through me=3F
Anyone know how dangerous these attacks are=3F This kind of result seems=20
to have been happening daily for the last 4/5 days or so.
Dan
PS Sorry couldn't make it to the meet as I had OU Astronomy stuff to do.
The log begins from: 01 01 00:48:50
The log ends at: 02 20 02:59:25
Total events: 48
Signatures recorded: 8
Source IP recorded: 12
Destination IP recorded: 7
The number of attacks from same host to same
destination using same method
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# of
attacks from to method
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
13 202.131.108.141 217.34.234.217 possible EVASIVE RST=20
detection
5 217.34.234.217 216.239.33.100 TCP CHECKSUM CHANGED ON=20
RETRANSMISSION (possible fragroute) detection
5 80.5.176.144 217.34.234.217 possible EVASIVE RST=20
detection
5 217.34.234.217 216.239.37.101 TCP CHECKSUM CHANGED ON=20
RETRANSMISSION (possible fragroute) detection
3 217.34.234.217 194.73.73.90 Multiple Acked Packets=20
(possible fragroute)
3 69.3.61.61 217.34.234.217 SCAN SOCKS Proxy attempt
2 217.34.234.217 63.88.212.82 TCP CHECKSUM CHANGED ON=20
RETRANSMISSION (possible fragroute) detection
2 217.34.234.217 194.73.73.90 TCP TOO FAST=20
RETRANSMISSION WITH DIFFERENT DATA SIZE (possible fragroute) detection
1 217.34.234.217 80.5.176.144 possible EVASIVE RST=20
detection
1 217.34.234.217 196.3.79.204 possible EVASIVE RST=20
detection
1 66.135.192.83 217.34.234.217 possible EVASIVE RST=20
detection
1 217.32.252.50 217.34.234.217 NNTP return code buffer=20
overflow attempt
1 209.61.238.216 217.34.234.217 possible EVASIVE RST=20
detection
1 210.3.60.152 217.34.234.217 ICMP PING NMAP
1 216.239.37.101 217.34.234.217 possible EVASIVE RST=20
detection
1 133.103.74.14 217.34.234.217 RPC portmap listing
1 216.239.33.100 217.34.234.217 possible EVASIVE RST=20
detection
1 81.77.80.138 217.34.234.217 possible EVASIVE RST=20
detection
Percentage and number of attacks from a host to a
destination
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# of
% attacks from to
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
27.08 13 202.131.108.141 217.34.234.217
10.42 5 217.34.234.217 216.239.33.100
10.42 5 217.34.234.217 194.73.73.90
10.42 5 80.5.176.144 217.34.234.217
10.42 5 217.34.234.217 216.239.37.101
6.25 3 69.3.61.61 217.34.234.217
4.17 2 217.34.234.217 63.88.212.82
2.08 1 81.77.80.138 217.34.234.217
2.08 1 209.61.238.216 217.34.234.217
2.08 1 210.3.60.152 217.34.234.217
2.08 1 133.103.74.14 217.34.234.217
2.08 1 217.32.252.50 217.34.234.217
2.08 1 217.34.234.217 196.3.79.204
2.08 1 66.135.192.83 217.34.234.217
2.08 1 216.239.33.100 217.34.234.217
2.08 1 216.239.37.101 217.34.234.217
2.08 1 217.34.234.217 80.5.176.144
Percentage and number of attacks from one host to any
with same method
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# of
% attacks from method
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
27.08 13 202.131.108.141 possible EVASIVE RST detection
25.00 12 217.34.234.217 TCP CHECKSUM CHANGED ON=20
RETRANSMISSION (possible fragroute) detection
10.42 5 80.5.176.144 possible EVASIVE RST detection
6.25 3 217.34.234.217 Multiple Acked Packets (possible=20
fragroute)
6.25 3 69.3.61.61 SCAN SOCKS Proxy attempt
4.17 2 217.34.234.217 TCP TOO FAST RETRANSMISSION WITH=20
DIFFERENT DATA SIZE (possible fragroute) detection
4.17 2 217.34.234.217 possible EVASIVE RST detection
2.08 1 210.3.60.152 ICMP PING NMAP
2.08 1 81.77.80.138 possible EVASIVE RST detection
2.08 1 133.103.74.14 RPC portmap listing
2.08 1 209.61.238.216 possible EVASIVE RST detection
2.08 1 216.239.37.101 possible EVASIVE RST detection
2.08 1 66.135.192.83 possible EVASIVE RST detection
2.08 1 217.32.252.50 NNTP return code buffer overflow attemp=
t
2.08 1 216.239.33.100 possible EVASIVE RST detection
Percentage and number of attacks to one certain host
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# of
% attacks to method
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
47.92 23 217.34.234.217 possible EVASIVE RST detection
10.42 5 216.239.37.101 TCP CHECKSUM CHANGED ON RETRANSMISSION=20
(possible fragroute) detection
10.42 5 216.239.33.100 TCP CHECKSUM CHANGED ON RETRANSMISSION=20
(possible fragroute) detection
6.25 3 194.73.73.90 Multiple Acked Packets (possible=20
fragroute)
6.25 3 217.34.234.217 SCAN SOCKS Proxy attempt
4.17 2 194.73.73.90 TCP TOO FAST RETRANSMISSION WITH=20
DIFFERENT DATA SIZE (possible fragroute) detection
4.17 2 63.88.212.82 TCP CHECKSUM CHANGED ON=20
RETRANSMISSION (possible fragroute) detection
2.08 1 80.5.176.144 possible EVASIVE RST detection
2.08 1 217.34.234.217 RPC portmap listing
2.08 1 217.34.234.217 ICMP PING NMAP
2.08 1 196.3.79.204 possible EVASIVE RST detection
2.08 1 217.34.234.217 NNTP return code buffer overflow attempt
The distribution of attack methods
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
# of
% attacks method
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
52.08 25 possible EVASIVE RST detection
13 202.131.108.141 -> 217.34.234.217
5 80.5.176.144 -> 217.34.234.217
1 217.34.234.217 -> 80.5.176.144
1 217.34.234.217 -> 196.3.79.204
1 66.135.192.83 -> 217.34.234.217
1 209.61.238.216 -> 217.34.234.217
1 216.239.37.101 -> 217.34.234.217
1 216.239.33.100 -> 217.34.234.217
1 81.77.80.138 -> 217.34.234.217
25.00 12 TCP CHECKSUM CHANGED ON RETRANSMISSION (possible=20
fragroute) detection
5 217.34.234.217 -> 216.239.33.100
5 217.34.234.217 -> 216.239.37.101
2 217.34.234.217 -> 63.88.212.82
6.25 3 SCAN SOCKS Proxy attempt
3 69.3.61.61 -> 217.34.234.217
6.25 3 Multiple Acked Packets (possible fragroute)
3 217.34.234.217 -> 194.73.73.90
4.17 2 TCP TOO FAST RETRANSMISSION WITH DIFFERENT DATA SIZE=20
(possible fragroute) detection
2 217.34.234.217 -> 194.73.73.90
2.08 1 ICMP PING NMAP
1 210.3.60.152 -> 217.34.234.217
2.08 1 RPC portmap listing
1 133.103.74.14 -> 217.34.234.217
2.08 1 NNTP return code buffer overflow attempt
1 217.32.252.50 -> 217.34.234.217
_______________________________________________
Wolves mailing list
Wolves@mailman.lug.org.uk
http://mailman.lug.org.uk/mailman/listinfo/wolves
- Get an SMS alert to your mobile every time you get an email. That's ANY m=
obile phone. Register for FREE with t-email at www.t-email.co.uk to access =
your email and contacts via web and WAP -
=20