This means that I don't have too much exiting stuff to report yet, most of the things I've registered in the IDS logs are a bunch of SQL worm attempts like this:
[**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**]
[Classification: Misc Attack] [Priority: 2]
08/11-01:58:53.294081 61.132.XX.XX:1211 -> 81.191.XX.XX:1434
UDP TTL:117 TOS:0x28 ID:56527 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref => http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref => http://www.securityfocus.com/bid/5311][Xref => http://www.securityfocus.com/bid/5310]
[**] [1:2050:9] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
08/11-01:58:53.294081 61.132.XX.XX:1211 -> 81.191.XX.XX:1434
UDP TTL:117 TOS:0x28 ID:56527 IpLen:20 DgmLen:404
Except for a couple of things which I haven't been able too figure out what is yet:
[**] [1:853:9] WEB-CGI wrap access [**]
[Classification: Attempted Information Leak] [Priority: 2]
08/08-01:58:36.825855 81.191.XX.XX:1078 -> 194.19.40.XX.XX
TCP TTL:128 TOS:0x0 ID:1234 IpLen:20 DgmLen:435 DF
***AP*** Seq: 0x69A84218 Ack: 0xC6CC65E3 Win: 0xFAF0 TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10317][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0149][Xref => http://www.securityfocus.com/bid/373][Xref => http://www.whitehats.com/info/IDS234]
[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
08/08-01:58:37.005811 81.191.XX.XX:1079 -> 209.225.XX.101:80
TCP TTL:128 TOS:0x0 ID:1350 IpLen:20 DgmLen:626 DF
***AP*** Seq: 0x743BD687 Ack: 0xD43850A1 Win: 0xFAF0 TcpLen: 20
[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
08/08-01:58:37.331863 81.191.XX.XX:1085 -> 209.225.XX.103:80
TCP TTL:128 TOS:0x0 ID:1581 IpLen:20 DgmLen:755 DF
***AP*** Seq: 0x3B1EA19 Ack: 0xCBE50FEA Win: 0xFAF0 TcpLen: 20
[**] [1:254:4] DNS SPOOF query response with TTL of 1 min. and no authority [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/08-01:58:40.626619 193.75.XX.XX:53 -> 81.191.XX.XX:63481
UDP TTL:62 TOS:0x0 ID:31932 IpLen:20 DgmLen:77
Len: 49
[**] [1:254:4] DNS SPOOF query response with TTL of 1 min. and no authority [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
08/08-01:58:40.638668 193.75.XX.XX:53 -> 81.191.XX.XX:64588
UDP TTL:62 TOS:0x0 ID:31998 IpLen:20 DgmLen:77
Len: 49
[**] [1:2201:5] WEB-CGI download.cgi access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
08/08-01:58:42.831535 81.191.XX.XX:1109 -> 192.150.XX.XX:80
TCP TTL:128 TOS:0x0 ID:2126 IpLen:20 DgmLen:459 DF
***AP*** Seq: 0x2952FB1C Ack: 0x753F6338 Win: 0xF9D1 TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11748][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1377][Xref => http://www.securityfocus.com/bid/4579]
Some of the things in the above output is kinda self explanatory, but there are a couple of things that have confused me a bit.
For instance; the DOUBLE DECODING attack which came from the 209.225.XX.101 to begin with, also came from 209.225.XX.102 and 209.225.XX.103 after a little while.
Does anyone know what this means? I was thinking bot net traffic but that is just speculation from my part, I still have a lot to learn when it comes to the analyzing IDS logs etc
Finally, the DNS Spoof Query response alerts, I'm not sure why they appear since they come from a legit DNS server I use. Might this just be a misconfiguration somewhere which makes Snort log these events as a possible incident?
As you probably understand, the honeypot is placed on the 81.191.XX.XX net, I've also chosen to censor the addresses of the machines which have initiated this traffic.
I haven't decided how to handle this part yet so for the moment I will censor these addresses too ensure that no-one will target these machines for any attacks etc.
Thats it for the moment, If anyone could help me to analyze the last output and tell me what they can red from it, that would be great!
No comments:
Post a Comment