Snort mailing list archives
Suggested directions for inverstigation??
From: "Mike Kelley" <mikek () m-v-t com>
Date: Tue, 23 Nov 2004 23:20:13 -0700
I just brought up my snort\acid\mysql box. I have a situation where I am seeing hundreds of alerts with the same source IP and the same destination IP; it seems to be getting hit by 3 alert signatures, these alerts are climbing the ports on the source but all point back to the destination on port 80. The alerts are (http_inspect) APACHE WHITESPACE (TAB) (http_inspect) BARE BYTE UNICODE ENCODING (http_inspect) NON-RFC HTTP DELIMITER Since I'm seeing the ports increment numerically (most of the time, sometimes there are gaps of 2-10 ports) I'm under the impression I'm getting port scanned on the source box (internal IP on corp network) by the destination (public IP). Would anyone (please) point me in the next direction on investigating what is going on and what to do. My team and I can "big hammer" the situation by formatting the destination and securing the firewall implicitly on the source IP, but what I'm hoping to find out is what would those of you with years of working these incidents do? Here is the ARIN whois on the source IP **SNIP** Server Used: [ whois.arin.net ] 66.182.90.242 <http://www.samspade.org/t/whois?a=66.182.90.242;server=auto> = [ cust-66-182-90-242.bbsc.net <http://www.samspade.org/t/whois?a=cust-66-182-90-242.bbsc.net;server=au to> ] OrgName: BroadBand Solutions America OrgID: BSA-26 Address: 630 West 9560 South Suite A City: Sandy StateProv: UT PostalCode: 84070 Country: US NetRange: 66.182.64.0 <http://www.samspade.org/t/whois?a=66.182.64.0;server=auto> - 66.182.95.255 <http://www.samspade.org/t/whois?a=66.182.95.255;server=auto> CIDR: 66.182.64.0/19 NetName: BBSC-NET NetHandle: NET-66-182-64-0-1 <http://www.samspade.org/t/whois?a=NET-66-182-64-0-1;server=whois.arin.n et> Parent: NET-66-0-0-0-0 NetType: Direct Allocation NameServer: NS1.BBSC.NET <http://www.samspade.org/t/whois?a=NS1.BBSC.NET;server=auto> NameServer: NS4.BBSC.NET <http://www.samspade.org/t/whois?a=NS4.BBSC.NET;server=auto> **SNIP** Thanks in advance to any and all suggestions (tell me which ones to read and I'll RTFM!!!) Mike
Current thread:
- Suggested directions for inverstigation?? Mike Kelley (Nov 23)