[wplug] Need help with a snort alert. Did my box get hacked?
Ken Rambler
ken at ramblernet.com
Fri Oct 21 12:37:40 EDT 2005
I still think this is a 404 string entry in your HTTP log, perhaps an
overflow attempt. It would be good to know specifically which log contained
the entry. Can you log in to the server and read the log files? If that is
one entry in your access file, then I would not be too concerned. You could
add the offending IP address to your hosts.deny file but that doesn't
normally stop an attacker for long.
My suggestion is to ask the snort.org forum to be sure.
-----Original Message-----
From: wplug-bounces+ken=ramblernet.com at wplug.org
[mailto:wplug-bounces+ken=ramblernet.com at wplug.org] On Behalf Of Chris
Romano
Sent: Friday, October 21, 2005 11:45 AM
To: General user list
Subject: Re: [wplug] Need help with a snort alert. Did my box get hacked?
On 10/21/05, Ken Rambler <ken at ramblernet.com> wrote:
Chris,
Are you using IPTABLES or SHOREWALL?
Do you have a wireless router on your LAN, and if so are you using wireless
encryption?
Was this message from your firewall or a machine behind it?
Which log contained the message?
At first glance this looks like a 404 entry from your HTTP log.
The main firewall is an InstaGate firewall. It's basically, a box with
Pittbull Linux and you use a web interface to administor it. The
firewall/proxy box is using IPTABLES.
This is a LAN and we do not have any wireless APs.
The entry is from Snort IDS. Our snort box logs everthing into a MySQL
database and we just a Web GUI to view the data.
This is our setup
XXXXXXX - main Firewall (10.10.10.1)
|
| --- XXXX Snort Box
|
| --- XXXX two public boxes (web/email etc)
|
XXXXXXX - Firewall/Proxy (10.10.10.5)
|
XXXXXXX - 192.168.0.x network
Thanks,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20051021/b1389bfd/attachment.html
More information about the wplug
mailing list