[blu] first time snort

Ben Jackson bbj at innismir.net
Fri Sep 10 10:43:01 EDT 2004


15 minutes? Wow, you live on a slow netblock ;)

You are probably seeing remnants of Nimda, and CodeRed. If you set
something listening on port 137, you'll also notice a metric arseload of
blaster and variants attacking. All they care is that you have is an open
port. You are fair game. :)

If you enjoy snort and have MySQL/PHP box to play with, perhaps you can
set up ACID(http://acidlab.sourceforge.net/), which is fantastic frontend
to snort.

				~Ben

--
/"\  Ben Jackson
\ /  bbj <at> innismir.net - http://www.innismir.net/
 X   Member of the ASCII Ribbon Campaign Against HTML Mail
/ \


On Fri, 10 Sep 2004, Eric wrote:

> I just turned on snort for the first time.  It's so
> cool...  Within fifteen minutes I got something to
> see.
>
> Log
> Date:	09/10 04:46:01 	Name:	WEB-IIS ISAPI .ida attempt
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.43.216.154:3351 -> 24.60.178.249:80
> References:	1 2 3
> Date:	09/10 04:46:01 	Name:	WEB-IIS cmd.exe access
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.43.216.154:3351 -> 24.60.178.249:80
> References:	none found
> Date:	09/10 04:59:51 	Name:	WEB-IIS ISAPI .ida attempt
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.60.228.112:4462 -> 24.60.178.249:80
> References:	1 2 3
> Date:	09/10 04:59:51 	Name:	WEB-IIS cmd.exe access
> Priority:	1 	Type:	Web Application Attack
> IP info: 	24.60.228.112:4462 -> 24.60.178.249:80
> References:	none found
>
> New stuff to check out!  But why would someone do
> that?  I'm obviously not using windows...  Is this
> automated?  And do you guys see this stuff constantly?
>
> =====
> D. Eric Chadbourne
> http://caffeinated.homelinux.net/
> "Shadowman doesn't know what the heck
> you just said, but you moved him."
> - Shadowman.
>
>
>
> _______________________________
> Do you Yahoo!?
> Shop for Back-to-School deals on Yahoo! Shopping.
> http://shopping.yahoo.com/backtoschool
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
>



More information about the Discuss mailing list