first time snort

miah jjohnson at sunrise-linux.com
Fri Sep 10 10:40:04 EDT 2004


Yes, lots of this stuff is automated.  Many kiddies run scripts that
scan entire ranges of ip's on the net.  Many of the scripts will own
the box, and then report the success in their log.  Snort is great,
and its very useful if you know what to do with the data.  If you're
not running windows stuff, I'd just disable those rules.  Though, it
might be good to setup snort to watch for the windows stuff coming
from your network, if you do have a windows box internally, because
its only a matter of time until it gets hit with something.

-miah

On Fri, Sep 10, 2004 at 07:10:21AM -0700, Eric wrote:
> I just turned on snort for the first time.  It's so
> cool...  Within fifteen minutes I got something to
> see.
> 
> Log
> Date:	09/10 04:46:01 	Name:	WEB-IIS ISAPI .ida attempt
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.43.216.154:3351 -> 24.60.178.249:80
> References:	1 2 3
> Date:	09/10 04:46:01 	Name:	WEB-IIS cmd.exe access
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.43.216.154:3351 -> 24.60.178.249:80
> References:	none found
> Date:	09/10 04:59:51 	Name:	WEB-IIS ISAPI .ida attempt
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.60.228.112:4462 -> 24.60.178.249:80
> References:	1 2 3
> Date:	09/10 04:59:51 	Name:	WEB-IIS cmd.exe access
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.60.228.112:4462 -> 24.60.178.249:80
> References:	none found
> 
> New stuff to check out!  But why would someone do
> that?  I'm obviously not using windows...  Is this
> automated?  And do you guys see this stuff constantly?
> 
> =====
> D. Eric Chadbourne
> http://caffeinated.homelinux.net/
> "Shadowman doesn't know what the heck
> you just said, but you moved him."
> - Shadowman.
> 
> 
> 		
> _______________________________
> Do you Yahoo!?
> Shop for Back-to-School deals on Yahoo! Shopping.
> http://shopping.yahoo.com/backtoschool
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
> 



More information about the Discuss mailing list