Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: aa6qn@×××××××××××.net
To: gentoo-security@l.g.o
Subject: [gentoo-security] Re: Snort alert with Squid ?
Date: Mon, 07 Nov 2005 13:49:07
Message-Id: 50652.127.0.0.1.1131371119.squirrel@127.0.0.1
In Reply to: Re: [gentoo-security] Snort alert with Squid ? by "Brian G. Peterson"
1 Yesterday as a follow on, I unmerged the Gentoo Squid (2.5.11 Stable) and
2 installed Squid-3.0-PRE3-20051030 direct from Squid-cache.org. After that
3 my only trigger was a common false positive but no random web attacks as
4 produced by the Gentoo version.
5
6 I did record attemps from other Gentoo platforms (i.e.
7 raptor.gentoo.osuosl.org) that had the same attack signatures probing my
8 server.
9
10 I did save one alert log from the Gentoo Squid build and here are some clips:
11 ----------------------------
12 11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
13 TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
14 ***AP*** Seq: 0xB9ED7061 Ack: 0x1D930248 Win: 0x1BB4 TcpLen: 32
15 TCP Options (3) => NOP NOP TS: 287314455 7254994
16 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1376][Xref =>
17 http:/
18 /www.securityfocus.com/bid/2252]
19
20 [**] [1:1288:8] WEB-FRONTPAGE /_vti_bin/ access [**]
21 [Classification: access to a potentially vulnerable web application]
22 [Priority:
23 2]
24 11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
25 TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
26 ***AP*** Seq: 0xB9ED7061 Ack: 0x1D930248 Win: 0x1BB4 TcpLen: 32
27 TCP Options (3) => NOP NOP TS: 287314455 7254994
28 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=11032]
29
30 [**] [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [**]
31 [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
32 11/03-13:36:59.036747 192.168.1.12:36106 -> 130.191.143.18:443
33 TCP TTL:64 TOS:0x0 ID:44644 IpLen:20 DgmLen:489 DF
34 ***AP*** Seq: 0xBBD22A6D Ack: 0xC6E36C0C Win: 0x2118 TcpLen: 32
35 TCP Options (3) => NOP NOP TS: 287348635 430347512
36 [Xref =>
37 http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx][Xref =>
38 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0719][Xref =>
39 http://www.securityfocus.com/bid/10116]
40
41 [**] [1:972:8] WEB-IIS %2E-asp access [**]
42 [Classification: access to a potentially vulnerable web application]
43 [Priority: 2]
44 11/03-13:38:00.152634 192.168.1.12:36118 -> 63.93.242.137:80
45 TCP TTL:64 TOS:0x0 ID:35374 IpLen:20 DgmLen:829 DF
46 ***AP*** Seq: 0xC0300C22 Ack: 0x156D63CD Win: 0x16D0 TcpLen: 20
47 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0253][Xref =>
48 http://www.securityfocus.com/bid/1814]
49
50 [**] [1:1564:6] WEB-MISC login.htm access [**]
51 [Classification: access to a potentially vulnerable web application]
52 [Priority: 2]
53 11/03-18:02:09.890960 192.168.1.12:32790 -> 209.202.161.132:80
54 TCP TTL:64 TOS:0x0 ID:16648 IpLen:20 DgmLen:568 DF
55 ***AP*** Seq: 0xB256AB50 Ack: 0x16654B17 Win: 0x16D0 TcpLen: 20
56 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1533][Xref =>
57 http://www.securityfocus.com/bid/665]
58
59 [**] [1:895:7] WEB-CGI redirect access [**]
60 [Classification: Attempted Information Leak] [Priority: 2]
61 11/03-18:02:19.371472 192.168.1.12:32796 -> 207.46.225.221:80
62 TCP TTL:64 TOS:0x0 ID:40290 IpLen:20 DgmLen:525 DF
63 ***AP*** Seq: 0xB3019639 Ack: 0x80329EEE Win: 0x6C0 TcpLen: 32
64 TCP Options (3) => NOP NOP TS: 4294840274 7096916
65 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0382][Xref =>
66 http://www.securityfocus.com/bid/1179]
67
68 [**] [1:1333:6] WEB-ATTACKS id command attempt [**]
69 [Classification: Web Application Attack] [Priority: 1]
70 11/03-21:37:22.144594 192.168.1.12:33666 -> 63.208.226.65:80
71 TCP TTL:64 TOS:0x0 ID:61249 IpLen:20 DgmLen:1492 DF
72 ***A**** Seq: 0xDEBFB8B8 Ack: 0xDC15FDA0 Win: 0x16D0 TcpLen: 20
73
74 [**] [1:1112:6] WEB-MISC http directory traversal [**]
75 [Classification: Attempted Information Leak] [Priority: 2]
76 11/03-21:43:43.650398 192.168.1.12:33728 -> 63.208.226.65:80
77 TCP TTL:64 TOS:0x0 ID:26729 IpLen:20 DgmLen:1492 DF
78 ***A**** Seq: 0xF4A1B938 Ack: 0xE9F492C2 Win: 0x16D0 TcpLen: 20
79 [Xref => http://www.whitehats.com/info/IDS298]
80
81 [**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
82 [Classification: Web Application Attack] [Priority: 1]
83 11/03-21:56:10.945244 192.168.1.12:33991 -> 208.254.3.160:80
84 TCP TTL:64 TOS:0x0 ID:56127 IpLen:20 DgmLen:679 DF
85 ***AP*** Seq: 0x2581E951 Ack: 0xF243E594 Win: 0x5B4 TcpLen: 32
86 TCP Options (3) => NOP NOP TS: 13906685 185043937
87 [Xref => http://www.securityfocus.com/bid/2527]
88
89 [**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
90 [Classification: Web Application Attack] [Priority: 1]
91 11/03-21:56:12.087098 192.168.1.12:33992 -> 66.179.5.89:80
92 TCP TTL:64 TOS:0x0 ID:14281 IpLen:20 DgmLen:980 DF
93 ***AP*** Seq: 0x25AB00D1 Ack: 0x8BAB936F Win: 0x16D0 TcpLen: 20
94 [Xref => http://www.securityfocus.com/bid/2527]
95
96 There has been much more but that's is just some snips of the one alert
97 log that I did save. So far with the new Squid cache I do not get attack
98 signature triggers as with the Gentoo release.
99
100 I was trying Snortsam to control my iptables and have not really gotten it
101 to work. I will give the flexresp and oinkmaster suite a look. Thank you.
102
103 Best wishes, JohnF
104
105
106
107
108
109 --
110 gentoo-security@g.o mailing list
Report Message
Find on MARC Find on Google Groups