BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

first time snort

Subject: first time snort
From: jjohnson at sunrise-linux.com (miah)
Date: Fri Sep 10 10:40:04 2004
In-reply-to: <20040910141021.88142.qmail@web61208.mail.yahoo.com>
References: <20040910141021.88142.qmail@web61208.mail.yahoo.com>

Yes, lots of this stuff is automated.  Many kiddies run scripts that
scan entire ranges of ip's on the net.  Many of the scripts will own
the box, and then report the success in their log.  Snort is great,
and its very useful if you know what to do with the data.  If you're
not running windows stuff, I'd just disable those rules.  Though, it
might be good to setup snort to watch for the windows stuff coming
from your network, if you do have a windows box internally, because
its only a matter of time until it gets hit with something.

-miah

On Fri, Sep 10, 2004 at 07:10:21AM -0700, Eric wrote:
> I just turned on snort for the first time.  It's so
> cool...  Within fifteen minutes I got something to
> see.
> 
> Log
> Date:	09/10 04:46:01 	Name:	WEB-IIS ISAPI .ida attempt
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.43.216.154:3351 -> 24.60.178.249:80
> References:	1 2 3
> Date:	09/10 04:46:01 	Name:	WEB-IIS cmd.exe access
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.43.216.154:3351 -> 24.60.178.249:80
> References:	none found
> Date:	09/10 04:59:51 	Name:	WEB-IIS ISAPI .ida attempt
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.60.228.112:4462 -> 24.60.178.249:80
> References:	1 2 3
> Date:	09/10 04:59:51 	Name:	WEB-IIS cmd.exe access
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.60.228.112:4462 -> 24.60.178.249:80
> References:	none found
> 
> New stuff to check out!  But why would someone do
> that?  I'm obviously not using windows...  Is this
> automated?  And do you guys see this stuff constantly?
> 
> =====
> D. Eric Chadbourne
> http://caffeinated.homelinux.net/
> "Shadowman doesn't know what the heck
> you just said, but you moved him."
> - Shadowman.
> 
> 
> 		
> _______________________________
> Do you Yahoo!?
> Shop for Back-to-School deals on Yahoo! Shopping.
> http://shopping.yahoo.com/backtoschool
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
>

References:
- first time snort
  - From: eric235u at yahoo.com (Eric)

Prev by Date: first time snort
Next by Date: [blu] first time snort
Previous by thread: first time snort
Next by thread: [blu] first time snort
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org