From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.50)
	id 1EZ7Mw-00062Z-Ri
	for garchives@archives.gentoo.org; Mon, 07 Nov 2005 13:49:07 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jA7DkSlU010151;
	Mon, 7 Nov 2005 13:46:28 GMT
Received: from ylpvm12.prodigy.net (ylpvm12-ext.prodigy.net [207.115.57.43])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jA7DggEO007024
	for <gentoo-security@lists.gentoo.org>; Mon, 7 Nov 2005 13:42:43 GMT
Received: from ylpvm01.prodigy.net (ylpvm01-int.prodigy.net [207.115.5.207])
	by ylpvm12.prodigy.net (8.12.10 outbound/8.12.10) with ESMTP id jA7Dh5il028556
	for <gentoo-security@lists.gentoo.org>; Mon, 7 Nov 2005 08:43:05 -0500
X-ORBL: [71.137.19.171]
Received: from aa6qn.sytes.net (adsl-71-137-19-171.dsl.sndg02.pacbell.net [71.137.19.171])
	by ylpvm01.prodigy.net (8.13.4 dk-milter linux/8.13.4) with ESMTP id jA7DkocX013796
	for <gentoo-security@lists.gentoo.org>; Mon, 7 Nov 2005 08:46:50 -0500
Received: by aa6qn.sytes.net (Postfix, from userid 81)
	id 93EB41C6C96; Mon,  7 Nov 2005 05:45:19 -0800 (PST)
Received: from localhost ([127.0.0.1])
        (SquirrelMail authenticated user aa6qn)
        by 127.0.0.1 with HTTP;
        Mon, 7 Nov 2005 05:45:19 -0800 (PST)
Message-ID: <50652.127.0.0.1.1131371119.squirrel@127.0.0.1>
In-Reply-To: <200511061121.51020.brian@braverock.com>
References: <63729.192.168.1.2.1131293015.squirrel@192.168.1.12>
    <200511061121.51020.brian@braverock.com>
Date: Mon, 7 Nov 2005 05:45:19 -0800 (PST)
Subject: [gentoo-security] Re: Snort alert with Squid ?
From: aa6qn@aa6qn.sytes.net
To: gentoo-security@lists.gentoo.org
User-Agent: SquirrelMail/1.4.4
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-Archives-Salt: c5222c6e-941e-4a36-b79c-2e3b074acfb8
X-Archives-Hash: ee000ef097f98fc4a52332dc3d05afea

Yesterday as a follow on, I unmerged the Gentoo Squid (2.5.11 Stable) and
installed Squid-3.0-PRE3-20051030 direct from Squid-cache.org. After that
my only trigger was a common false positive but no random web attacks as
produced by the Gentoo version.

I did record attemps from other Gentoo platforms (i.e. 
raptor.gentoo.osuosl.org) that had the same attack signatures probing my
server.

I did save one alert log from the Gentoo Squid build and here are some clips:
----------------------------
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
***AP*** Seq: 0xB9ED7061  Ack: 0x1D930248  Win: 0x1BB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 287314455 7254994
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1376][Xref =>
http:/
/www.securityfocus.com/bid/2252]

[**] [1:1288:8] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application]
[Priority:
2]
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
***AP*** Seq: 0xB9ED7061  Ack: 0x1D930248  Win: 0x1BB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 287314455 7254994
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11032]

[**] [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
11/03-13:36:59.036747 192.168.1.12:36106 -> 130.191.143.18:443
TCP TTL:64 TOS:0x0 ID:44644 IpLen:20 DgmLen:489 DF
***AP*** Seq: 0xBBD22A6D  Ack: 0xC6E36C0C  Win: 0x2118  TcpLen: 32
TCP Options (3) => NOP NOP TS: 287348635 430347512
[Xref =>
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0719][Xref =>
http://www.securityfocus.com/bid/10116]

[**] [1:972:8] WEB-IIS %2E-asp access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
11/03-13:38:00.152634 192.168.1.12:36118 -> 63.93.242.137:80
TCP TTL:64 TOS:0x0 ID:35374 IpLen:20 DgmLen:829 DF
***AP*** Seq: 0xC0300C22  Ack: 0x156D63CD  Win: 0x16D0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0253][Xref =>
http://www.securityfocus.com/bid/1814]

[**] [1:1564:6] WEB-MISC login.htm access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
11/03-18:02:09.890960 192.168.1.12:32790 -> 209.202.161.132:80
TCP TTL:64 TOS:0x0 ID:16648 IpLen:20 DgmLen:568 DF
***AP*** Seq: 0xB256AB50  Ack: 0x16654B17  Win: 0x16D0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1533][Xref =>
http://www.securityfocus.com/bid/665]

[**] [1:895:7] WEB-CGI redirect access [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/03-18:02:19.371472 192.168.1.12:32796 -> 207.46.225.221:80
TCP TTL:64 TOS:0x0 ID:40290 IpLen:20 DgmLen:525 DF
***AP*** Seq: 0xB3019639  Ack: 0x80329EEE  Win: 0x6C0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4294840274 7096916
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0382][Xref =>
http://www.securityfocus.com/bid/1179]

[**] [1:1333:6] WEB-ATTACKS id command attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:37:22.144594 192.168.1.12:33666 -> 63.208.226.65:80
TCP TTL:64 TOS:0x0 ID:61249 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0xDEBFB8B8  Ack: 0xDC15FDA0  Win: 0x16D0  TcpLen: 20

[**] [1:1112:6] WEB-MISC http directory traversal [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/03-21:43:43.650398 192.168.1.12:33728 -> 63.208.226.65:80
TCP TTL:64 TOS:0x0 ID:26729 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0xF4A1B938  Ack: 0xE9F492C2  Win: 0x16D0  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS298]

[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:56:10.945244 192.168.1.12:33991 -> 208.254.3.160:80
TCP TTL:64 TOS:0x0 ID:56127 IpLen:20 DgmLen:679 DF
***AP*** Seq: 0x2581E951  Ack: 0xF243E594  Win: 0x5B4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 13906685 185043937
[Xref => http://www.securityfocus.com/bid/2527]

[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:56:12.087098 192.168.1.12:33992 -> 66.179.5.89:80
TCP TTL:64 TOS:0x0 ID:14281 IpLen:20 DgmLen:980 DF
***AP*** Seq: 0x25AB00D1  Ack: 0x8BAB936F  Win: 0x16D0  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2527]

There has been much more but that's is just some snips of the one alert
log that I did save. So far with the new Squid cache I do not get attack
signature triggers as with the Gentoo release.

I was trying Snortsam to control my iptables and have not really gotten it
to work. I will give the flexresp and oinkmaster suite a look. Thank you.

Best wishes, JohnF





-- 
gentoo-security@gentoo.org mailing list