<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=642163016-21102005><FONT face=Arial color=#0000ff size=2>I
still think this is a 404 string entry in your HTTP log, perhaps an overflow
attempt. It would be good to know specifically which log contained the entry.
Can you log in to the server and read the log files? If that is one entry in
your access file, then I would not be too concerned. You could add the offending
IP address to your hosts.deny file but that doesn't normally stop
an attacker for long.</FONT></SPAN></DIV>
<DIV><SPAN class=642163016-21102005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=642163016-21102005><FONT face=Arial color=#0000ff size=2>My
suggestion is to ask the snort.org forum to be sure. </FONT></SPAN></DIV>
<DIV><SPAN class=642163016-21102005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV></DIV>
<DIV><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
wplug-bounces+ken=ramblernet.com@wplug.org
[mailto:wplug-bounces+ken=ramblernet.com@wplug.org] <B>On Behalf Of </B>Chris
Romano<BR><B>Sent:</B> Friday, October 21, 2005 11:45 AM<BR><B>To:</B> General
user list<BR><B>Subject:</B> Re: [wplug] Need help with a snort alert. Did my
box get hacked?<BR><BR></DIV></FONT>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px"><BR><BR>
<DIV><SPAN class=gmail_quote>On 10/21/05, <B class=gmail_sendername>Ken
Rambler</B> <<A href="mailto:ken@ramblernet.com">ken@ramblernet.com</A>>
wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV><FONT face=Arial color=#0000ff size=2><SPAN>Chris,</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN>Are you using IPTABLES or
SHOREWALL? </SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN>Do you have a wireless
router on your LAN, and if so are you using wireless encryption?
</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN>Was this message from your
firewall or a machine behind it? </SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN>Which log contained the
message?</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN>At first glance this looks
like a 404 entry from your HTTP log.</SPAN></FONT></DIV></BLOCKQUOTE>
<DIV><BR><BR>The main firewall is an InstaGate firewall. It's basically,
a box with Pittbull Linux and you use a web interface to administor it.
The firewall/proxy box is using IPTABLES.<BR><BR>This is a LAN and we do not
have any wireless APs.<BR><BR>The entry is from Snort IDS. Our snort box
logs everthing into a MySQL database and we just a Web GUI to view the
data.<BR><BR>This is our setup<BR><BR>XXXXXXX - main Firewall (<A
href="http://10.10.10.1">10.10.10.1</A>)<BR>
|<BR> | --- XXXX Snort
Box<BR> |<BR> | --- XXXX two
public boxes (web/email etc)<BR> |<BR>XXXXXXX -
Firewall/Proxy (<A
href="http://10.10.10.5">10.10.10.5</A>)<BR>
|<BR>XXXXXXX - 192.168.0.x
network<BR><BR>Thanks,<BR>Chris<BR></DIV><BR></DIV></BLOCKQUOTE></BODY></HTML>