Re: Need help with Sneeze

[<ravivsn () roc co in>]

If you are not able to see any alerts then cheers to Snort developers,coz
there are no false positives.
 I feel some people are worried that stick and sneeze are not triggering
false positives :))
Cheers
-Ravi
Rendezvous On Chip (I) Pvt Ltd,
http://www.rocsys.com


> Hi,
>
> I believe that I was able to get sneeze running properly.  ie. when I
> tried running the following command on 192.168.22.205:
> ./sneeze.pl -d 192.168.22.205 -f /prod/etc/snort/dos.rules  -s
> 192.168.22.123 -i eth0
>
> it generates the following:
> ATTACK:
> :45068 -> 192.168.22.205:64238
>
> ATTACK: DOS Jolt attack
> ATTACK TYPE: attempted-dos
> ip :28282 -> 192.168.22.205:25713
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0345
>
> ATTACK: DOS Teardrop attack
> ATTACK TYPE: attempted-dos
> udp :41624 -> 192.168.22.205:1658
> Reference => http://www.securityfocus.com/bid/124
> Reference => http://www.cert.org/advisories/CA-1997-28.html
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0015
>
> ATTACK: DOS UDP echo+chargen bomb
> ATTACK TYPE: attempted-dos
> udp :19 -> 192.168.22.205:7
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0103
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0635
>
> ATTACK: DOS IGMP dos attack
> ATTACK TYPE: attempted-dos
> ip :46144 -> 192.168.22.205:35580
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0918
>
> ATTACK: DOS IGMP dos attack
> ATTACK TYPE: attempted-dos
> ip :38226 -> 192.168.22.205:53283
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0918
>
> ATTACK: DOS ath
> ATTACK TYPE: attempted-dos
> icmp :45358 -> 192.168.22.205:55818
> Reference => http://www.whitehats.com/info/IDS264
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1228
>
> ATTACK: DOS NAPTHA
> ATTACK TYPE: attempted-dos
> tcp :33887 -> 192.168.22.205:24469
> Reference => http://www.securityfocus.com/bid/2022
> Reference =>
> http://razor.bindview.com/publish/advisories/adv_NAPTHA.html Reference
> => http://www.cert.org/advisories/CA-2000-21.html
> Reference =>
> http://www.microsoft.com/technet/security/bulletin/MS00-091.asp
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1039
>
> ATTACK: DOS Real Audio Server
> ATTACK TYPE: attempted-dos
> tcp :49921 -> 192.168.22.205:7070
> Reference => http://www.whitehats.com/info/IDS411
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474
> Reference => http://www.securityfocus.com/bid/1288
>
> ATTACK: DOS Real Server template.html
> ATTACK TYPE: attempted-dos
> tcp :41169 -> 192.168.22.205:7070
> Reference => http://www.securityfocus.com/bid/1288
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474
>
> ATTACK: DOS Real Server template.html
> ATTACK TYPE: attempted-dos
> tcp :3084 -> 192.168.22.205:8080
> Reference => http://www.securityfocus.com/bid/1288
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0474
>
> ATTACK: DOS Bay/Nortel Nautica Marlin
> ATTACK TYPE: attempted-dos
> udp :55377 -> 192.168.22.205:161
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0221
> Reference => http://www.securityfocus.com/bid/1009
>
> ATTACK: DOS Ascend Route
> ATTACK TYPE: attempted-dos
> udp :13038 -> 192.168.22.205:9
> Reference => http://www.whitehats.com/info/IDS262
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0060
> Reference => http://www.securityfocus.com/bid/714
>
> ATTACK: DOS arkiea backup
> ATTACK TYPE: attempted-dos
> tcp :7017 -> 192.168.22.205:617
> Reference => http://www.whitehats.com/info/IDS261
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0788
> Reference => http://www.securityfocus.com/bid/662
>
> ATTACK: DOS Winnuke attack
> ATTACK TYPE: attempted-dos
> tcp :31843 -> 192.168.22.205:135:139
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0153
> Reference => http://www.securityfocus.com/bid/2010
>
> ATTACK: DOS MSDTC attempt
> ATTACK TYPE: attempted-dos
> tcp :14970 -> 192.168.22.205:3372
> Reference => http://www.securityfocus.com/bid/4006
>
> ATTACK: DOS iParty DOS attempt
> ATTACK TYPE: misc-attack
> tcp :18936 -> 192.168.22.205:6004
> Reference => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1566
>
> ATTACK: DOS DB2 dos attempt
> ATTACK TYPE: denial-of-service
> tcp :24671 -> 192.168.22.205:6789:6790
>
> ATTACK: DOS Cisco attempt
> ATTACK TYPE: web-application-attack
> tcp :65150 -> 192.168.22.205:80
>
>
>
> However, I do not see any alerts generated in the alert file.  and when
> run tcpdump -i eth0, no packets were seen.
>
> Am I missing something?
>
> Thanks in advance,
> Peggy
>
>
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users