Hello,
freeBSD 5.4
Relatively new to IDS. I have had snort in for a week or so now. I check all my logs on a daily basis. I am use to seeing stuff in httpd-error.log and vsftpd.log, however being new to snort, I am confused. I realize that this is just an intrusion detection, what should I do in response to these alerts below. I am just used to seeing ips in certain logs and then just blocking them at the firewall. However on some days this gets to be a pain as this can take quite awhile as I get hit from a wide range of ips.
I checked snort log first thing today and it seems to be picking up my laptop as trying to use ftp exploits.
Code:
[**] [1:1748:8] FTP command overflow attempt [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
11/24-14:02:32.735830 192.168.1.4:3247 -> 192.168.1.1:21
TCP TTL:128 TOS:0x0 ID:20571 IpLen:20 DgmLen:358 DF
***AP*** Seq: 0x1C5D5B76 Ack: 0x681EACAD Win: 0x4470 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0606][Xref => http:/
/www.securityfocus.com/bid/4638]
[**] [1:1378:15] FTP wu-ftp bad file completion attempt { [**]
[Classification: Misc Attack] [Priority: 2]
11/24-14:02:32.921308 192.168.1.4:3247 -> 192.168.1.1:21
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:286
***AP*** Seq: 0x681EADE9 Ack: 0x1C5D5DAA Win: 0xFFFF TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0886][Xref => http:/
/cve.mitre.org/cgi-bin/cvename.cgi?name=2001-0550][Xref => http://www.securityfo
cus.com/bid/3707][Xref => http://www.securityfocus.com/bid/3581]
[**] [1:2417:2] FTP format string attempt [**]
[Classification: A suspicious string was detected] [Priority: 3]
11/24-14:02:32.921308 192.168.1.4:3247 -> 192.168.1.1:21
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:286
***AP*** Seq: 0x681EADE9 Ack: 0x1C5D5DAA Win: 0xFFFF TcpLen: 20
[Xref => http://www.securityfocus.com/bid/9800]
Now this is a relatively new XP install on my laptop, about a week or so old. I was trying to ftp to my server at around this time, vsftpd and ssl. I guess I am just asking if anyone has insight into this for me?
I get alot of alerts for other things do, here is an example of a few from yesterday and today.
Code:
[**] [1:621:7] SCAN FIN [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/24-15:03:40.272725 217.162.177.129:54081 -> 192.168.1.1:6348
TCP TTL:47 TOS:0x0 ID:23295 IpLen:20 DgmLen:40 DF
*******F Seq: 0x2A3418C3 Ack: 0x0 Win: 0xFFFF TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS27]
[**] [1:621:7] SCAN FIN [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/24-15:03:40.280490 217.162.177.129:54081 -> 192.168.1.1:6348
TCP TTL:47 TOS:0x0 ID:23296 IpLen:20 DgmLen:40 DF
*******F Seq: 0x2A3418C2 Ack: 0x0 Win: 0xFFFF TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS27]
[**] [1:621:7] SCAN FIN [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/25-03:23:00.526206 217.162.183.172:54408 -> 192.168.1.1:6348
TCP TTL:47 TOS:0x0 ID:51412 IpLen:20 DgmLen:40 DF
*******F Seq: 0xD4966A0D Ack: 0x0 Win: 0xFFFF TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS27]
[**] [1:621:7] SCAN FIN [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/25-03:23:00.529865 217.162.183.172:54408 -> 192.168.1.1:6348
TCP TTL:47 TOS:0x0 ID:51413 IpLen:20 DgmLen:40 DF
*******F Seq: 0xD4966A0C Ack: 0x0 Win: 0xFFFF TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS27]
I realize that these are scans, and I have set my firewall to drop scans but if they are scanning my external ip they are getting my router that forwards ssh to another machine on my network and 20,21,80 to this machine.
I have snort monitoring this machine only and I was wondering how they can scan this machine behind my router when I dont forward the high ports it is scanning? I guess I am just scared. I am going to look for rkhunter for this machine now. I have it on another but not this one.
Any help is greatly appreciated in this matter if more info is needed I will gladly post.
On a side note, I am going to set ACID up to help me read my SQL snort db. Any issues with that I should know about before hand?
Thank you for any help offered.