OK, so with a little data analyzing help from users at the Remote Exploit forums it seems these snort alerts can either mean that:
1. One of the SQL slammer attempts have been successful and that the honeypot is included in a Fast-Flux network to help spread malware, hence the snort alerts regarding DNS spoofing. (If unfamiliar with fast-flux, check out the article on wikipedia and the references used there - that should provide you with more than enough information).
2. There is something wrong with my honeywall setup which causes snort to generate all the SQL alerts, see here for a thread on the Snort IDS forum for a thread regarding this matter.
Also, the DNS no authority messages can have a natural explanation as you can see from this excerpt from the Snort-users mailing list.
Either way, I'm considering moving on from a virtual to a physical honeynet due to a lot of issues with the time stamping in honeywall which is giving me somewhat of a headache when it comes to analyzing the what/when/where of the IDS alerts.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment