Snort mailing list archives

Sneeze

From: Peggy Kam <ppkam () n-dsi com>
Date: Fri, 06 Feb 2004 16:17:34 -0500

Hi,

I believe that I was able to get sneeze running properly. ie. when Itried running the following command on 192.168.22.205:./sneeze.pl -d 192.168.22.205 -f /prod/etc/snort/dos.rules -s192.168.22.123 -i eth0


it generates the following:
ATTACK:
:45068 -> 192.168.22.205:64238

ATTACK: DOS Jolt attack
ATTACK TYPE: attempted-dos
ip :28282 -> 192.168.22.205:25713
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0345

ATTACK: DOS Teardrop attack
ATTACK TYPE: attempted-dos
udp :41624 -> 192.168.22.205:1658
Reference => http://www.securityfocus.com/bid/124
Reference => http://www.cert.org/advisories/CA-1997-28.html
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0015

ATTACK: DOS UDP echo+chargen bomb
ATTACK TYPE: attempted-dos
udp :19 -> 192.168.22.205:7
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0103
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0635

ATTACK: DOS IGMP dos attack
ATTACK TYPE: attempted-dos
ip :46144 -> 192.168.22.205:35580
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0918

ATTACK: DOS IGMP dos attack
ATTACK TYPE: attempted-dos
ip :38226 -> 192.168.22.205:53283
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0918

ATTACK: DOS ath
ATTACK TYPE: attempted-dos
icmp :45358 -> 192.168.22.205:55818
Reference => http://www.whitehats.com/info/IDS264
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1228

ATTACK: DOS NAPTHA
ATTACK TYPE: attempted-dos
tcp :33887 -> 192.168.22.205:24469
Reference => http://www.securityfocus.com/bid/2022
Reference => http://razor.bindview.com/publish/advisories/adv_NAPTHA.html
Reference => http://www.cert.org/advisories/CA-2000-21.html
Reference => http://www.microsoft.com/technet/security/bulletin/MS00-091.asp
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1039

ATTACK: DOS Real Audio Server
ATTACK TYPE: attempted-dos
tcp :49921 -> 192.168.22.205:7070
Reference => http://www.whitehats.com/info/IDS411
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474
Reference => http://www.securityfocus.com/bid/1288

ATTACK: DOS Real Server template.html
ATTACK TYPE: attempted-dos
tcp :41169 -> 192.168.22.205:7070
Reference => http://www.securityfocus.com/bid/1288
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474

ATTACK: DOS Real Server template.html
ATTACK TYPE: attempted-dos
tcp :3084 -> 192.168.22.205:8080
Reference => http://www.securityfocus.com/bid/1288
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474

ATTACK: DOS Bay/Nortel Nautica Marlin
ATTACK TYPE: attempted-dos
udp :55377 -> 192.168.22.205:161
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0221
Reference => http://www.securityfocus.com/bid/1009

ATTACK: DOS Ascend Route
ATTACK TYPE: attempted-dos
udp :13038 -> 192.168.22.205:9
Reference => http://www.whitehats.com/info/IDS262
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0060
Reference => http://www.securityfocus.com/bid/714

ATTACK: DOS arkiea backup
ATTACK TYPE: attempted-dos
tcp :7017 -> 192.168.22.205:617
Reference => http://www.whitehats.com/info/IDS261
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0788
Reference => http://www.securityfocus.com/bid/662

ATTACK: DOS Winnuke attack
ATTACK TYPE: attempted-dos
tcp :31843 -> 192.168.22.205:135:139
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0153
Reference => http://www.securityfocus.com/bid/2010

ATTACK: DOS MSDTC attempt
ATTACK TYPE: attempted-dos
tcp :14970 -> 192.168.22.205:3372
Reference => http://www.securityfocus.com/bid/4006

ATTACK: DOS iParty DOS attempt
ATTACK TYPE: misc-attack
tcp :18936 -> 192.168.22.205:6004
Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1566

ATTACK: DOS DB2 dos attempt
ATTACK TYPE: denial-of-service
tcp :24671 -> 192.168.22.205:6789:6790

ATTACK: DOS Cisco attempt
ATTACK TYPE: web-application-attack
tcp :65150 -> 192.168.22.205:80

However, I do not see any alerts generated in the alert file. and whenrun tcpdump -i eth0, no packets were seen.


Am I missing something?

Thanks in advance,
Peggy



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Has any one tried SnorcCenter with Snort 2.1.1-RC1? crazy (Feb 06)
- alert_syslog Peggy Kam (Feb 06)
  - Re: alert_syslog Josh Berry (Feb 06)
    - Re: alert_syslog Peggy Kam (Feb 06)
    - Re: alert_syslog Owen McCusker (Feb 06)
    - Sneeze Peggy Kam (Feb 06)
- <Possible follow-ups>
- Has any one tried SnorcCenter with Snort 2.1.1-RC1? crazy (Feb 07)
  - Re: Has any one tried SnorcCenter with Snort 2.1.1-RC1? Jason Alexander (Feb 09)