[ILUG] Snort config - newbie question.
[ILUG] Snort config - newbie question.
Declan Grady
Declan.Grady at nuvotem.com
Fri Dec 16 09:49:55 GMT 2005
Hi folks.
I installed snort on my firewall out of interest, but I'm not sure I've
configured it correctly.
My external IP is xx.xxx.xxx.xx in the following snort report.
I'm using debian, and my /etc/snort/snort.debian.conf file has :
DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="xx.xxx.xxx.xx"
DEBIAN_SNORT_OPTIONS=" -o"
DEBIAN_SNORT_INTERFACE="eth1"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"
---------
I have a simple firewall with external on eth1, and internal lan on eth0
On the internal net I only have some windows PC's (mixture of ME & XP)
and a linux mailserver
I am concerned to see what looks like "strange" traffic from my external IP
Pointers please ?
Thanks,
Declan
Events between 12 15 07:43:01 and 12 15 15:50:23
Total events: 30
Signatures recorded: 7
Source IP recorded: 9
Destination IP recorded: 14
Events from same host to same destination using same method
=========================================================================
# of from to method
=========================================================================
2 65.216.78.66 xx.xxx.xxx.xx ICMP PING speedera
2 63.123.77.194 xx.xxx.xxx.xx ICMP PING speedera
2 xx.xxx.xxx.xx 195.13.50.100 (portscan) TCP Portsweep
2 xx.xxx.xxx.xx 64.4.30.250 (http_inspect) DOUBLE DECODING ATTACK
2 xx.xxx.xxx.xx 209.123.241.166 (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
2 65.203.232.2 xx.xxx.xxx.xx ICMP PING speedera
2 206.65.191.194 xx.xxx.xxx.xx ICMP PING speedera
2 84.235.32.33 xx.xxx.xxx.xx ICMP PING NMAP
2 205.252.48.130 xx.xxx.xxx.xx ICMP PING speedera
Percentage and number of events from a host to a destination
============================================================
% # of from to
============================================================
6.67 2 206.65.191.194 xx.xxx.xxx.xx
6.67 2 65.216.78.66 xx.xxx.xxx.xx
6.67 2 xx.xxx.xxx.xx 64.4.30.250
6.67 2 63.123.77.194 xx.xxx.xxx.xx
6.67 2 xx.xxx.xxx.xx 209.123.241.166
6.67 2 65.203.232.2 xx.xxx.xxx.xx
6.67 2 xx.xxx.xxx.xx 195.13.50.100
6.67 2 84.235.32.33 xx.xxx.xxx.xx
6.67 2 205.252.48.130 xx.xxx.xxx.xx
Percentage and number of events from one host to any with same method
==============================================================
% # of from method
==============================================================
26.67 8 xx.xxx.xxx.xx (http_inspect) DOUBLE DECODING ATTACK
13.33 4 xx.xxx.xxx.xx (portscan) TCP Portsweep
6.67 2 206.65.191.194 ICMP PING speedera
6.67 2 84.235.32.33 ICMP PING NMAP
6.67 2 63.123.77.194 ICMP PING speedera
6.67 2 65.203.232.2 ICMP PING speedera
6.67 2 65.216.78.66 ICMP PING speedera
6.67 2 205.252.48.130 ICMP PING speedera
6.67 2 xx.xxx.xxx.xx (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
Percentage and number of events to one certain host
=================================================================
% # of to method
=================================================================
33.33 10 xx.xxx.xxx.xx ICMP PING speedera
13.33 4 xx.xxx.xxx.xx ICMP PING NMAP
6.67 2 195.13.50.100 (portscan) TCP Portsweep
6.67 2 64.4.30.250 (http_inspect) DOUBLE DECODING ATTACK
6.67 2 209.123.241.166 (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
The distribution of event methods
===============================================
% # of method
===============================================
33.33 10 ICMP PING speedera
2 65.216.78.66 -> xx.xxx.xxx.xx
2 63.123.77.194 -> xx.xxx.xxx.xx
2 65.203.232.2 -> xx.xxx.xxx.xx
2 206.65.191.194 -> xx.xxx.xxx.xx
2 205.252.48.130 -> xx.xxx.xxx.xx
26.67 8 (http_inspect) DOUBLE DECODING ATTACK
2 xx.xxx.xxx.xx -> 64.4.30.250
1 xx.xxx.xxx.xx -> 207.46.216.59
1 xx.xxx.xxx.xx -> 207.46.216.60
1 xx.xxx.xxx.xx -> 65.54.194.118
1 xx.xxx.xxx.xx -> 64.154.81.197
1 xx.xxx.xxx.xx -> 212.78.196.13
1 xx.xxx.xxx.xx -> 216.239.59.103
13.33 4 ICMP PING NMAP
2 84.235.32.33 -> xx.xxx.xxx.xx
1 84.235.50.62 -> xx.xxx.xxx.xx
1 84.235.52.176 -> xx.xxx.xxx.xx
13.33 4 (portscan) TCP Portsweep
2 xx.xxx.xxx.xx -> 195.13.50.100
1 xx.xxx.xxx.xx -> 213.190.147.82
1 xx.xxx.xxx.xx -> 146.101.166.250
6.67 2 (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
2 xx.xxx.xxx.xx -> 209.123.241.166
More information about the ILUG
mailing list Read this without the formatting . 
