Sytem Attack or ?
Hi everyone Receiving this from the snort can someone explain what the hell is going on I have and ADSL connection on eth1 with dhcp assigned Ip and the lan is on eth0 I am running the snort with -i eth1 as the Daemon with snort-lin defining the HOME_NET 192.168.1.0/24 and EXTERNAL_NET as 212.xxx.xxx.0/22 as outlined with the ifconfig eberything else is left as is. Help is appreciated Mar 27 18:11:49 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61018 -> 195.44.254.18:80 Mar 27 18:12:00 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:00 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:02 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:02 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:03 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:08 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:08 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:10 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61021 -> 205.188.245.116:80 Mar 27 18:12:10 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61021 -> 205.188.245.116:80 -- Togan Muftuoglu
Hi Togan, This is most likely triggered by someone from your internal LAN accessing a web site with an occasional unicode overlong prefix (probably stored in a cookie or something). Since 207.200.86.65 is mychannelvip.netscape.com, this isn't really unusual. Source port is greater than 61000, which means it is a masqueraded connection coming from your internal LAN, not from your external host. My guess: a false positive. Hope that helps. Regards, Martin
Receiving this from the snort can someone explain what the hell is going on
I have and ADSL connection on eth1 with dhcp assigned Ip and the lan is on eth0 I am running the snort with -i eth1 as the Daemon with
snort-lin defining the HOME_NET 192.168.1.0/24 and EXTERNAL_NET as 212.xxx.xxx.0/22 as outlined with the ifconfig eberything else is left as is. Help is appreciated
Mar 27 18:11:49 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61018 -> 195.44.254.18:80 Mar 27 18:12:00 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:00 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:02 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:02 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:03 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:08 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:08 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:10 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61021 -> 205.188.245.116:80 Mar 27 18:12:10 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61021 -> 205.188.245.116:80
-- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany Tel.: +49-251-83-33557 Fax: +49-251-83-39083 E-Mail (work): lewelin@uni-muenster.de
Hi, snort often detects this attack on my network, but it always is a False Positive. The signature isn't very reliable I think. Look out for more suspicious incidents of break-in attempts.
Mar 27 18:11:49 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61018 -> 195.44.254.18:80 Mar 27 18:12:00 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:00 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:02 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:02 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:03 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61019 -> 207.200.86.65:80 Mar 27 18:12:08 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:08 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61020 -> 207.200.86.65:80 Mar 27 18:12:10 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61021 -> 205.188.245.116:80 Mar 27 18:12:10 gardiyan snort: spp_http_decode: IIS Unicode attack detected: 212.xxx.xxx.xxx:61021 -> 205.188.245.116:80 -- Togan Muftuoglu
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
participants (3)
-
Martin Leweling
-
Thomas Biege
-
Togan Muftuoglu