Snort mailing list archives
Re: My Snort IDS Sensor Detected Metasploit Exploit Attempts
From: Teo En Ming <teo.en.ming () gmail com>
Date: Thu, 24 Apr 2014 00:04:55 +0800
Dear Eric G, I may not be able to tap my outside internet and feed it to Snort because I am running Snort in a virtual machine, and it's sitting behind a wireless router. Please look at the attached network diagram and offer me advice on how I can tap the outside internet and feed it to Snort. Thank you very much. Yours sincerely, Teo En Ming On Wed, Apr 23, 2014 at 10:16 PM, Eric G <eric () nixwizard net> wrote:
On Wed, Apr 23, 2014 at 7:59 AM, Teo En Ming <teo.en.ming () gmail com>wrote:Hi, In the previous (1st) Metasploit exploit attempt, there were 136 Snort alerts with the internet-facing IP address included in HOME_NET in snort.conf. In the 2nd Metasploit exploit attempt, I removed the internet-facing IP address from HOME_NET in snort.conf and there were 95 Snort alerts. ***So I don't think it is necessary to include internet-facing IP address in HOME_NET.*** Do you guys agree with this? Here are the Snort alerts from the 2nd Metasploit exploit attempt: 04/23-18:59:33.230809 [**] [1:29881:1] MALWARE-CNC Win.Trojan.Dexter CasinoLoader SQL injection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 171.207.9.232:35869 -> 192.168.1.146:80 04/23-19:06:23.153624 [**] [1:20158:9] SERVER-WEBAPP Oracle GlassFish Server default credentials login attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 171.207.9.232:47198 -> 192.168.1.147:80Teo you're not tapping your outside Internet connection... do you see how the destination IP in your alert that fired off only lists 192.168.1.146? That means you're only tapping the inside, which is after your edge firewall device. If your HOME_NET contains your outside Internet IP address, and you're tapping your outside Internet connection and feeding it to Snort, then the Snort alert would contain your public IP address as the destination, not your inside IP. In fact, if you tap both outside and inside and feed them to Snort, you should get two alerts that fire off if your HOME_NET contains your outside IP and 192.168.1.0/24 So you still don't have Snort configured in the way you expect it to be... tap your outside Internet and feed it to Snort, and you should see alerts fire off the way you're expecting them to -- Eric https://www.linkedin.com/in/ericgearhart
------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- My Snort IDS Sensor Detected Metasploit Exploit Attempts Teo En Ming (Apr 23)
- Re: My Snort IDS Sensor Detected Metasploit Exploit Attempts Teo En Ming (Apr 23)
- Re: My Snort IDS Sensor Detected Metasploit Exploit Attempts Eric G (Apr 23)
- Re: My Snort IDS Sensor Detected Metasploit Exploit Attempts Teo En Ming (Apr 23)
- Re: My Snort IDS Sensor Detected Metasploit Exploit Attempts Eric G (Apr 23)
- Re: My Snort IDS Sensor Detected Metasploit Exploit Attempts Eric G (Apr 23)
- Re: My Snort IDS Sensor Detected Metasploit Exploit Attempts Teo En Ming (Apr 23)