Snort mailing list archives
Re: how to handle this problem
From: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>
Date: Thu, 20 May 2004 14:54:10 +0100
--On 20 May 2004 14:54 +0200 derk van de Velde <derk () pcvisie nl> wrote:
hi, if found this in met authlog from snort May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 10.0.3.128:4978 -> 207.46.130.110:80 May 20 02:19:28 pcvisie snort: [1:2307:2] WEB-PHP PayPal Storefront arbitrary command execution attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 10.0.3.128:4979 -> 207.46.130.110:80 snortalog said high when i check the 2307 sid on snort.org, it is not clear to me how t handle this.
1) Check who the target machine (207.46.130.110) belongs to. According to WHOIS, it's Hotmail, so /if/ this /is/ a real attack, it's one of your users (I assume, from the 10.0.0.0/8 address) attacking Hotmail.
2) Verify whether the target machine is using PayPal Storefront. I would suggest "probably not".
3) Examine the payload of the packets that triggered the alert and compare with the rule to determine whether the rule might be a bit too dumb, and could be triggered by innocuous traffic (e.g. email, web pages, image files).
what steps should i take
If this is a real attack (I would guess not), the rest depends on your organisation's policy for dealing with misuse of its computer systems and networks. This is almost certainly a legal, rather than a technical matter.
regards, derk
HTH, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10gGet certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to handle this problem derk van de Velde (May 20)
- Re: how to handle this problem AJ Butcher, Information Systems and Computing (May 20)
- RE: how to handle this problem derk van de Velde (May 20)
- RE: how to handle this problem AJ Butcher, Information Systems and Computing (May 20)
- RE: how to handle this problem derk van de Velde (May 20)
- <Possible follow-ups>
- RE: how to handle this problem Corey Rock (May 20)
- RE: how to handle this problem derk van de Velde (May 21)
- RE: (2) how to handle this problem derk van de Velde (May 21)
- RE: how to handle this problem Corey Rock (May 22)
- Re: how to handle this problem AJ Butcher, Information Systems and Computing (May 20)