Interpreting Snort results

Sat, 11 Feb 2006 00:27:08 -0800

I've installed Snort on my Debian desktop (as recommended on the Debian security advice page) but am not sure how to interpret the emails it is sending through. Here's a typical morning email - does this look like anything to worry about? (I'm already running the Firestarter firewall which gets a "Stealth" rating from the ShieldsUp test.) 

(NB I've partly obscured my own IP address.)

Events between  02 09 16:19:03  and  02 09 23:42:40
Total events: 206
Signatures recorded: 3
Source IP recorded: 1
Destination IP recorded: 9


Events from same host to same destination using same method
=========================================================================
 # of  from             to               method
=========================================================================
104 80.1.xxx.x 66.102.15.100 (http_inspect) OVERSIZE REQUEST-URI DIRECTORY 35 80.1.xxx.x 87.248.208.18 (http_inspect) DOUBLE DECODING ATTACK 34 80.1.xxx.x 87.248.208.12 (http_inspect) DOUBLE DECODING ATTACK 15 80.1.xxx.x 194.158.126.24 (http_inspect) DOUBLE DECODING ATTACK 6 80.1.xxx.x 209.10.235.166 (http_inspect) DOUBLE DECODING ATTACK 5 80.1.xxx.x 64.14.196.202 (http_inspect) DOUBLE DECODING ATTACK 3 80.1.xxx.x 194.158.126.14 (http_inspect) DOUBLE DECODING ATTACK 3 80.1.xxx.x 87.248.208.30 (http_inspect) DOUBLE DECODING ATTACK 


Percentage and number of events from a host to a destination
============================================================
  %    # of  from             to
============================================================
50.49   104  80.1.xxx.x       66.102.15.100
16.99    35  80.1.xxx.x       87.248.208.18
16.50    34  80.1.xxx.x       87.248.208.12
 7.28    15  80.1.xxx.x       194.158.126.24
 2.91     6  80.1.xxx.x       209.10.235.166
 2.43     5  80.1.xxx.x       64.14.196.202
 1.46     3  80.1.xxx.x       87.248.208.30
 1.46     3  80.1.xxx.x       194.158.126.14


Percentage and number of events from one host to any with same method
==============================================================
  %    # of  from             method
==============================================================
50.49   104  80.1.xxx.x       (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
49.03   101  80.1.xxx.x       (http_inspect) DOUBLE DECODING ATTACK


Percentage and number of events to one certain host
=================================================================
  %    # of  to               method
=================================================================
50.49   104  66.102.15.100    (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
16.99    35  87.248.208.18    (http_inspect) DOUBLE DECODING ATTACK
16.50    34  87.248.208.12    (http_inspect) DOUBLE DECODING ATTACK
 7.28    15  194.158.126.24   (http_inspect) DOUBLE DECODING ATTACK
 2.91     6  209.10.235.166   (http_inspect) DOUBLE DECODING ATTACK
 2.43     5  64.14.196.202    (http_inspect) DOUBLE DECODING ATTACK
 1.46     3  194.158.126.14   (http_inspect) DOUBLE DECODING ATTACK
 1.46     3  87.248.208.30    (http_inspect) DOUBLE DECODING ATTACK


The distribution of event methods
===============================================
  %    # of  method
===============================================
50.49   104  (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
                 104   80.1.xxx.x      -> 66.102.15.100
49.03   101  (http_inspect) DOUBLE DECODING ATTACK
                 35    80.1.xxx.x      -> 87.248.208.18
                 34    80.1.xxx.x      -> 87.248.208.12
                 15    80.1.xxx.x      -> 194.158.126.24
                 6     80.1.xxx.x      -> 209.10.235.166
                 5     80.1.xxx.x      -> 64.14.196.202
                 3     80.1.xxx.x      -> 194.158.126.14
                 3     80.1.xxx.x      -> 87.248.208.30


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to