Hi all,
I have got few questions about snort report.
I have ClearOS 5.2 SP1 set up as a gateway with local domain and 3 interfaces:
eth0 - external - 192.168.3.86
eth1 - LAN - 192.168.2.1
eth2 - external - 192.168.1.3
I use Google DNS - 8.8.8.8 and 8.8.4.4
Intrusion Detection Report shows Google DNS - 8.8.8.8 and my two external interfaces 192.168.3.86 and 192.168.1.3 as Attackers and some IP addresses, which are not my internal network e.g. verisign.com, ripe.net, amazon.com, mcafee.com as Victims.
I'm confused by this. Is it normal or it should be other way (my external as victims and other as attackers)
It has been like that since I changed server config to gateway. I have updated rules from EmergingThreats.net using Nick's script.
Nothing has been blocked by Intrusion Prevention but it still worries me.
Classification of these alerts: http_inspect, WEB-CLIENT Microsoft wmf metafile access, portscan, DNS SPOOF query response with TTL of 1 min. and no authority.
Thx
I have got few questions about snort report.
I have ClearOS 5.2 SP1 set up as a gateway with local domain and 3 interfaces:
eth0 - external - 192.168.3.86
eth1 - LAN - 192.168.2.1
eth2 - external - 192.168.1.3
I use Google DNS - 8.8.8.8 and 8.8.4.4
Intrusion Detection Report shows Google DNS - 8.8.8.8 and my two external interfaces 192.168.3.86 and 192.168.1.3 as Attackers and some IP addresses, which are not my internal network e.g. verisign.com, ripe.net, amazon.com, mcafee.com as Victims.
I'm confused by this. Is it normal or it should be other way (my external as victims and other as attackers)
It has been like that since I changed server config to gateway. I have updated rules from EmergingThreats.net using Nick's script.
Nothing has been blocked by Intrusion Prevention but it still worries me.
Classification of these alerts: http_inspect, WEB-CLIENT Microsoft wmf metafile access, portscan, DNS SPOOF query response with TTL of 1 min. and no authority.
Thx
Share this post:
Responses (4)
-
Accepted Answer
-
Accepted Answer
I think it is more a problem with the report than snort. Rather than attacker think of it as source and destination. Then consider a brute smtp force attack. The relevant snort rule looks for failed signon messages returning to the attacker and the rule truggered if there are too many failed signons within a particular timeframe. In this case the source of the message would be you (sending the invalid login message) and the destination would be the attacker. This then gets incorrectly interpreted by the report. For each rule triggering the alert check out which direction it is monitoring. -
Accepted Answer
Hi
Thank you Tim. I have checked SIDs.
The problem is that snort shows my two external interfaces 192.168.3.86 and 192.168.1.3 as Attackers and some IP addresses, which are not my internal network e.g. verisign.com, ripe.net, amazon.com, mcafee.com as Victims. and it's I think there might be a problem with configuration. Or maybe I don't understand it correctly. In my opinion it should be other way - verisign.com, ripe.net, amazon.com, mcafee.com as Attackers and my interfaces as Victims.
Thx -
Accepted Answer
Depends on the rules they are triggering...most are false positives, and some rules are particularly 'noisy'
Snort is trying to alert you to something it thinks is odd, but it maybe OK. You should invesitgate the rule 'SID' and what triggers it.
You can search snort rules here (see top right box)
http://www.snort.org/snort-rules/
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »