* [gentoo-security] Snort alert with Squid ?
@ 2005-11-06 16:03 aa6qn
2005-11-06 17:21 ` Brian G. Peterson
0 siblings, 1 reply; 4+ messages in thread
From: aa6qn @ 2005-11-06 16:03 UTC (permalink / raw
To: gentoo-security
I could use some help here. I have emerged Snort on my system here (along
with SnortSnarf) and have been watching the alerts. What is causing my
concern it that my server is being reported as a source for serveral web
based attack signatures to a host of unknown destinations. I have spent
some time cleaning and rebuilding the server with no luck until I turned
off Squid.
BTW, all clients behind the squid box were turned off to insure the server
was the source.
I am using the latest portage ebuild Squid-2.5.11 Stable with a clean
build and I still get alerts from my box as source. Running 2.6.13-r5
kerel. I have tried Nessus to see if any un-authorized port was running
(nothing other than standard ports) and ran McAfee linux virus scan
(nothing there either).
I did not see anything on the web that would explain an exploit such as a
worm or trojan that is based on the current Squid build.
Any advise on the next thing to look at? I am starting to wonder if its
the squid ebuild.
Thank you in advance,
JohnF
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-security] Snort alert with Squid ?
2005-11-06 16:03 [gentoo-security] Snort alert with Squid ? aa6qn
@ 2005-11-06 17:21 ` Brian G. Peterson
2005-11-06 20:40 ` xyon
2005-11-07 13:45 ` [gentoo-security] " aa6qn
0 siblings, 2 replies; 4+ messages in thread
From: Brian G. Peterson @ 2005-11-06 17:21 UTC (permalink / raw
To: gentoo-security
On Sunday 06 November 2005 10:03 am, aa6qn@aa6qn.sytes.net wrote:
> I could use some help here. I have emerged Snort on my system here (along
> with SnortSnarf) and have been watching the alerts. What is causing my
> concern it that my server is being reported as a source for serveral web
> based attack signatures to a host of unknown destinations. I have spent
> some time cleaning and rebuilding the server with no luck until I turned
> off Squid.
Could you please paste in copies of the warnings/alerts;log entries you are
seeing?
Also, have you done a packet capture manually on that port to see what is
going on?
It is about equally likely that snort is giving you a false positive as it is
that anything is wrong with squid...
Regards,
- Brian
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-security] Snort alert with Squid ?
2005-11-06 17:21 ` Brian G. Peterson
@ 2005-11-06 20:40 ` xyon
2005-11-07 13:45 ` [gentoo-security] " aa6qn
1 sibling, 0 replies; 4+ messages in thread
From: xyon @ 2005-11-06 20:40 UTC (permalink / raw
To: gentoo-security
I concur. Snort is a great program, but the false positives are many.
What are the errors that it is tripping? Many people have to
custom-tailor their snort rules (by disabling problem rules) to allow
legitimate traffic.
One thing that helps me is I have snort emerged with 'USE="flexresp
inline"', and then used oinkmaster to convert all my tcp alert rules to
drop. It helps a little in diagnosing false positives.
On Sun, 2005-11-06 at 11:21 -0600, Brian G. Peterson wrote:
> On Sunday 06 November 2005 10:03 am, aa6qn@aa6qn.sytes.net wrote:
> > I could use some help here. I have emerged Snort on my system here (along
> > with SnortSnarf) and have been watching the alerts. What is causing my
> > concern it that my server is being reported as a source for serveral web
> > based attack signatures to a host of unknown destinations. I have spent
> > some time cleaning and rebuilding the server with no luck until I turned
> > off Squid.
>
> Could you please paste in copies of the warnings/alerts;log entries you are
> seeing?
>
> Also, have you done a packet capture manually on that port to see what is
> going on?
>
> It is about equally likely that snort is giving you a false positive as it is
> that anything is wrong with squid...
>
> Regards,
>
> - Brian
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-security] Re: Snort alert with Squid ?
2005-11-06 17:21 ` Brian G. Peterson
2005-11-06 20:40 ` xyon
@ 2005-11-07 13:45 ` aa6qn
1 sibling, 0 replies; 4+ messages in thread
From: aa6qn @ 2005-11-07 13:45 UTC (permalink / raw
To: gentoo-security
Yesterday as a follow on, I unmerged the Gentoo Squid (2.5.11 Stable) and
installed Squid-3.0-PRE3-20051030 direct from Squid-cache.org. After that
my only trigger was a common false positive but no random web attacks as
produced by the Gentoo version.
I did record attemps from other Gentoo platforms (i.e.
raptor.gentoo.osuosl.org) that had the same attack signatures probing my
server.
I did save one alert log from the Gentoo Squid build and here are some clips:
----------------------------
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
***AP*** Seq: 0xB9ED7061 Ack: 0x1D930248 Win: 0x1BB4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 287314455 7254994
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1376][Xref =>
http:/
/www.securityfocus.com/bid/2252]
[**] [1:1288:8] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application]
[Priority:
2]
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
***AP*** Seq: 0xB9ED7061 Ack: 0x1D930248 Win: 0x1BB4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 287314455 7254994
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11032]
[**] [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
11/03-13:36:59.036747 192.168.1.12:36106 -> 130.191.143.18:443
TCP TTL:64 TOS:0x0 ID:44644 IpLen:20 DgmLen:489 DF
***AP*** Seq: 0xBBD22A6D Ack: 0xC6E36C0C Win: 0x2118 TcpLen: 32
TCP Options (3) => NOP NOP TS: 287348635 430347512
[Xref =>
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0719][Xref =>
http://www.securityfocus.com/bid/10116]
[**] [1:972:8] WEB-IIS %2E-asp access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
11/03-13:38:00.152634 192.168.1.12:36118 -> 63.93.242.137:80
TCP TTL:64 TOS:0x0 ID:35374 IpLen:20 DgmLen:829 DF
***AP*** Seq: 0xC0300C22 Ack: 0x156D63CD Win: 0x16D0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0253][Xref =>
http://www.securityfocus.com/bid/1814]
[**] [1:1564:6] WEB-MISC login.htm access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
11/03-18:02:09.890960 192.168.1.12:32790 -> 209.202.161.132:80
TCP TTL:64 TOS:0x0 ID:16648 IpLen:20 DgmLen:568 DF
***AP*** Seq: 0xB256AB50 Ack: 0x16654B17 Win: 0x16D0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1533][Xref =>
http://www.securityfocus.com/bid/665]
[**] [1:895:7] WEB-CGI redirect access [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/03-18:02:19.371472 192.168.1.12:32796 -> 207.46.225.221:80
TCP TTL:64 TOS:0x0 ID:40290 IpLen:20 DgmLen:525 DF
***AP*** Seq: 0xB3019639 Ack: 0x80329EEE Win: 0x6C0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 4294840274 7096916
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0382][Xref =>
http://www.securityfocus.com/bid/1179]
[**] [1:1333:6] WEB-ATTACKS id command attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:37:22.144594 192.168.1.12:33666 -> 63.208.226.65:80
TCP TTL:64 TOS:0x0 ID:61249 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0xDEBFB8B8 Ack: 0xDC15FDA0 Win: 0x16D0 TcpLen: 20
[**] [1:1112:6] WEB-MISC http directory traversal [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/03-21:43:43.650398 192.168.1.12:33728 -> 63.208.226.65:80
TCP TTL:64 TOS:0x0 ID:26729 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0xF4A1B938 Ack: 0xE9F492C2 Win: 0x16D0 TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS298]
[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:56:10.945244 192.168.1.12:33991 -> 208.254.3.160:80
TCP TTL:64 TOS:0x0 ID:56127 IpLen:20 DgmLen:679 DF
***AP*** Seq: 0x2581E951 Ack: 0xF243E594 Win: 0x5B4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 13906685 185043937
[Xref => http://www.securityfocus.com/bid/2527]
[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:56:12.087098 192.168.1.12:33992 -> 66.179.5.89:80
TCP TTL:64 TOS:0x0 ID:14281 IpLen:20 DgmLen:980 DF
***AP*** Seq: 0x25AB00D1 Ack: 0x8BAB936F Win: 0x16D0 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2527]
There has been much more but that's is just some snips of the one alert
log that I did save. So far with the new Squid cache I do not get attack
signature triggers as with the Gentoo release.
I was trying Snortsam to control my iptables and have not really gotten it
to work. I will give the flexresp and oinkmaster suite a look. Thank you.
Best wishes, JohnF
--
gentoo-security@gentoo.org mailing list
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-11-07 13:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-06 16:03 [gentoo-security] Snort alert with Squid ? aa6qn
2005-11-06 17:21 ` Brian G. Peterson
2005-11-06 20:40 ` xyon
2005-11-07 13:45 ` [gentoo-security] " aa6qn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox