logi snorta

[booli]

Witam,

zainstalowałem snort. dostaję takie logi:

% count ip alert
49.27 1017 67.22.xx.xx (portscan) TCP Decoy Portscan
37.21 768 67.22.xx.xx (snort_decoder): Experimental Tcp Options found
5.09 105 67.22.xx.xx ICMP Destination Unreachable Communication Administratively Prohibited
1.60 33 67.22.xx.xx (http_inspect) BARE BYTE UNICODE ENCODING
1.31 27 67.22.xx.xx (http_inspect) IIS UNICODE CODEPOINT ENCODING
1.21 25 67.22.xx.xx (http_inspect) DOUBLE DECODING ATTACK
1.11 23 67.22.xx.xx (http_inspect) OVERSIZE CHUNK ENCODING
0.82 17 67.22.xx.xx (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
0.63 13 67.22.xx.xx (http_inspect) IIS UNICODE CODEPOINT ENCODING
0.15 3 67.22.xx.xx (snort_decoder) WARNING: TCP Data Offset is less than 5!
0.15 3 67.22.xx.xx (http_inspect) IIS UNICODE CODEPOINT ENCODING
0.15 3 67.22.xx.xx (portscan) TCP Portsweep
0.15 3 67.22.xx.xx (snort_decoder) WARNING: TCP Header length exceeds packet length!
0.10 2 207.171.183.113 (http_inspect) OVERSIZE CHUNK ENCODING
0.10 2 209.85.165.191 (http_inspect) OVERSIZE CHUNK ENCODING
0.10 2 67.22.xx.xx (http_inspect) OVERSIZE CHUNK ENCODING
0.10 2 67.22.xx.xx (snort_decoder): Truncated Tcp Options
0.10 2 67.22.xx.xx (http_inspect) OVERSIZE CHUNK ENCODING
0.10 2 67.22.xx.xx (http_inspect) OVERSIZE CHUNK ENCODING
0.10 2 67.22.xx.xx (http_inspect) OVERSIZE REQUEST-URI DIRECTORY

czy ktoś może powiedzieć za co najpierw się zabrać i jak?

[booli]

ok, ponizej wklejam alert snorta dla konkretnego zdarzenia:

[**] [116:58:1] (snort_decoder): Experimental Tcp Options found [**]
02/02-07:54:53.023296 203.115.242.222:43077 -> 67.22.xx.xx:80
TCP TTL:110 TOS:0x0 ID:22679 IpLen:20 DgmLen:64 DF
******S* Seq: 0x3BD2C89D Ack: 0x0 Win: 0xFFFF TcpLen: 44
TCP Options (8) => MSS: 1460 NOP NOP SackOK Opt 76 (8): 01 010A 1428 2200 05
TCP Options => Opt 76 (2): 0C 01NOP EOL

czy ktos moze mi dac jakas wskazowke jak sie za to zabrac?
co jest nie tak?

[TQM]

ok, ponizej wklejam alert snorta dla konkretnego zdarzenia:

[**] [116:58:1] (snort_decoder): Experimental Tcp Options found [**]
[...]

czy ktos moze mi dac jakas wskazowke jak sie za to zabrac?
co jest nie tak?

To mowi samo za siebie. O ile pamietam SNORT zapisuje obok logu dump calego pakietu, tam powinienes znalezc wiecej informacji.

[booli]

tak tez zrobilem juz..

najwiecej jest takich rekordow: (TTL jest zero)

"778","12903.663666","78.108.145.10","67.22.xx.xx" ,"IP","Unknown (0xff)"
"779","12903.663667","78.108.145.10","67.22.xx.xx" ,"IP","Unknown (0xff)"
"780","12920.466187","83.21.133.169","67.22.xx.xx" ,"IP","Unknown (0xff)"

itd..

dlaczego jest unknown (0xff)? wpuszczam tylko tcp, udp, idmp.

iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

[TQM]

No to teraz pytanie - co sie dzieje jak przychodzi pakiet i ma TTL rowny zero?
Snort loguje je i tyle - mozliwe ze ktos roibl traceroute albo probuje skanowac Twoj firewall

iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

Cos mi sie wydaje ze ESTABLISHED mozesz olac. UDP nie posiada stanu, wiec related zalatwia sprawe, w ICMP bedzie podobnie o ile pamietam.