[gentoo-security] Re: Snort alert with Squid ?

public inbox for gentoo-security@lists.gentoo.org
 help / color / mirror / Atom feed

From: aa6qn@aa6qn.sytes.net
To: gentoo-security@lists.gentoo.org
Subject: [gentoo-security] Re: Snort alert with Squid ?
Date: Mon, 7 Nov 2005 05:45:19 -0800 (PST)	[thread overview]
Message-ID: <50652.127.0.0.1.1131371119.squirrel@127.0.0.1> (raw)
In-Reply-To: <200511061121.51020.brian@braverock.com>

Yesterday as a follow on, I unmerged the Gentoo Squid (2.5.11 Stable) and
installed Squid-3.0-PRE3-20051030 direct from Squid-cache.org. After that
my only trigger was a common false positive but no random web attacks as
produced by the Gentoo version.

I did record attemps from other Gentoo platforms (i.e. 
raptor.gentoo.osuosl.org) that had the same attack signatures probing my
server.

I did save one alert log from the Gentoo Squid build and here are some clips:
----------------------------
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
***AP*** Seq: 0xB9ED7061  Ack: 0x1D930248  Win: 0x1BB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 287314455 7254994
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1376][Xref =>
http:/
/www.securityfocus.com/bid/2252]

[**] [1:1288:8] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application]
[Priority:
2]
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
***AP*** Seq: 0xB9ED7061  Ack: 0x1D930248  Win: 0x1BB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 287314455 7254994
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11032]

[**] [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
11/03-13:36:59.036747 192.168.1.12:36106 -> 130.191.143.18:443
TCP TTL:64 TOS:0x0 ID:44644 IpLen:20 DgmLen:489 DF
***AP*** Seq: 0xBBD22A6D  Ack: 0xC6E36C0C  Win: 0x2118  TcpLen: 32
TCP Options (3) => NOP NOP TS: 287348635 430347512
[Xref =>
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0719][Xref =>
http://www.securityfocus.com/bid/10116]

[**] [1:972:8] WEB-IIS %2E-asp access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
11/03-13:38:00.152634 192.168.1.12:36118 -> 63.93.242.137:80
TCP TTL:64 TOS:0x0 ID:35374 IpLen:20 DgmLen:829 DF
***AP*** Seq: 0xC0300C22  Ack: 0x156D63CD  Win: 0x16D0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0253][Xref =>
http://www.securityfocus.com/bid/1814]

[**] [1:1564:6] WEB-MISC login.htm access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
11/03-18:02:09.890960 192.168.1.12:32790 -> 209.202.161.132:80
TCP TTL:64 TOS:0x0 ID:16648 IpLen:20 DgmLen:568 DF
***AP*** Seq: 0xB256AB50  Ack: 0x16654B17  Win: 0x16D0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1533][Xref =>
http://www.securityfocus.com/bid/665]

[**] [1:895:7] WEB-CGI redirect access [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/03-18:02:19.371472 192.168.1.12:32796 -> 207.46.225.221:80
TCP TTL:64 TOS:0x0 ID:40290 IpLen:20 DgmLen:525 DF
***AP*** Seq: 0xB3019639  Ack: 0x80329EEE  Win: 0x6C0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4294840274 7096916
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0382][Xref =>
http://www.securityfocus.com/bid/1179]

[**] [1:1333:6] WEB-ATTACKS id command attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:37:22.144594 192.168.1.12:33666 -> 63.208.226.65:80
TCP TTL:64 TOS:0x0 ID:61249 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0xDEBFB8B8  Ack: 0xDC15FDA0  Win: 0x16D0  TcpLen: 20

[**] [1:1112:6] WEB-MISC http directory traversal [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/03-21:43:43.650398 192.168.1.12:33728 -> 63.208.226.65:80
TCP TTL:64 TOS:0x0 ID:26729 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0xF4A1B938  Ack: 0xE9F492C2  Win: 0x16D0  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS298]

[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:56:10.945244 192.168.1.12:33991 -> 208.254.3.160:80
TCP TTL:64 TOS:0x0 ID:56127 IpLen:20 DgmLen:679 DF
***AP*** Seq: 0x2581E951  Ack: 0xF243E594  Win: 0x5B4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 13906685 185043937
[Xref => http://www.securityfocus.com/bid/2527]

[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:56:12.087098 192.168.1.12:33992 -> 66.179.5.89:80
TCP TTL:64 TOS:0x0 ID:14281 IpLen:20 DgmLen:980 DF
***AP*** Seq: 0x25AB00D1  Ack: 0x8BAB936F  Win: 0x16D0  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2527]

There has been much more but that's is just some snips of the one alert
log that I did save. So far with the new Squid cache I do not get attack
signature triggers as with the Gentoo release.

I was trying Snortsam to control my iptables and have not really gotten it
to work. I will give the flexresp and oinkmaster suite a look. Thank you.

Best wishes, JohnF





-- 
gentoo-security@gentoo.org mailing list

     prev parent reply	other threads:[~2005-11-07 13:49 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-06 16:03 [gentoo-security] Snort alert with Squid ? aa6qn
2005-11-06 17:21 ` Brian G. Peterson
2005-11-06 20:40   ` xyon
2005-11-07 13:45   ` aa6qn [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=50652.127.0.0.1.1131371119.squirrel@127.0.0.1 \
    --to=aa6qn@aa6qn.sytes.net \
    --cc=gentoo-security@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox