[wplug] Need help with a snort alert. Did my box get
hacked?[SOLVED]
Chris Romano
romano.chris at gmail.com
Fri Oct 21 13:50:01 EDT 2005
It was a false positive. That alert was triggered because someone was
viewing a phrack article. It matched up perfectly.
Thanks,
Chris
On 10/21/05, Chris Romano <romano.chris at gmail.com> wrote:
>
> This was not in any "log". Snort analyizes all traffic that it sees and
> checks it against specific rules. If the packet contains a certain attack
> signiture/pattern it creates an alert. Here is the rule that created that
> alert:
>
> alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned
> root"; content:"uid=0|28|root|29|"; classtype:bad-unknown
> ; sid:498; rev:6;)
>
> See "content". If that string is an a packet, snort will fire an alert.
>
> I am going to head over to snort now, I asked this list first because I
> was more concerned about verifing if my box has be hacked or not. I was
> hoping that some could point me to other places/files/etc to check.
>
> Thanks,
> Chris
>
> On 10/21/05, Ken Rambler <ken at ramblernet.com> wrote:
>
> > I still think this is a 404 string entry in your HTTP log, perhaps an
> > overflow attempt. It would be good to know specifically which log contained
> > the entry. Can you log in to the server and read the log files? If that is
> > one entry in your access file, then I would not be too concerned. You could
> > add the offending IP address to your hosts.deny file but that doesn't
> > normally stop an attacker for long.
> > My suggestion is to ask the snort.org <http://snort.org> forum to be
> > sure.
> > -----Original Message-----
> > *From:* wplug-bounces+ken=ramblernet.com at wplug.org [mailto:
> > wplug-bounces+ken=ramblernet.com at wplug.org] *On Behalf Of *Chris Romano
> > *Sent:* Friday, October 21, 2005 11:45 AM
> > *To:* General user list
> > *Subject:* Re: [wplug] Need help with a snort alert. Did my box get
> > hacked?
> >
> >
> >
> > On 10/21/05, Ken Rambler <ken at ramblernet.com> wrote:
> > >
> > > Chris,
> > > Are you using IPTABLES or SHOREWALL?
> > > Do you have a wireless router on your LAN, and if so are you using
> > > wireless encryption?
> > > Was this message from your firewall or a machine behind it?
> > > Which log contained the message?
> > > At first glance this looks like a 404 entry from your HTTP log.
> > >
> >
> >
> > The main firewall is an InstaGate firewall. It's basically, a box with
> > Pittbull Linux and you use a web interface to administor it. The
> > firewall/proxy box is using IPTABLES.
> >
> > This is a LAN and we do not have any wireless APs.
> >
> > The entry is from Snort IDS. Our snort box logs everthing into a MySQL
> > database and we just a Web GUI to view the data.
> >
> > This is our setup
> >
> > XXXXXXX - main Firewall (10.10.10.1 <http://10.10.10.1>)
> > |
> > | --- XXXX Snort Box
> > |
> > | --- XXXX two public boxes (web/email etc)
> > |
> > XXXXXXX - Firewall/Proxy (10.10.10.5 <http://10.10.10.5>)
> > |
> > XXXXXXX - 192.168.0.x network
> >
> > Thanks,
> > Chris
> >
> >
> > _______________________________________________
> > wplug mailing list
> > wplug at wplug.org
> > http://www.wplug.org/mailman/listinfo/wplug
> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wplug.org/pipermail/wplug/attachments/20051021/8480e1e0/attachment.html
More information about the wplug
mailing list