Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
Snort alert with Squid ?
aa6qn at aa6qn
Nov 6, 2005, 9:03 AM
Post #1 of 4 (3116 views)
Permalink
I could use some help here. I have emerged Snort on my system here (along
with SnortSnarf) and have been watching the alerts. What is causing my
concern it that my server is being reported as a source for serveral web
based attack signatures to a host of unknown destinations. I have spent
some time cleaning and rebuilding the server with no luck until I turned
off Squid.

BTW, all clients behind the squid box were turned off to insure the server
was the source.

I am using the latest portage ebuild Squid-2.5.11 Stable with a clean
build and I still get alerts from my box as source. Running 2.6.13-r5
kerel. I have tried Nessus to see if any un-authorized port was running
(nothing other than standard ports) and ran McAfee linux virus scan
(nothing there either).

I did not see anything on the web that would explain an exploit such as a
worm or trojan that is based on the current Squid build.

Any advise on the next thing to look at? I am starting to wonder if its
the squid ebuild.

Thank you in advance,
JohnF

--
gentoo-security@gentoo.org mailing list
Re: Snort alert with Squid ? [ In reply to ]
brian at braverock
Nov 6, 2005, 10:21 AM
Post #2 of 4 (3049 views)
Permalink
On Sunday 06 November 2005 10:03 am, aa6qn@aa6qn.sytes.net wrote:
> I could use some help here. I have emerged Snort on my system here (along
> with SnortSnarf) and have been watching the alerts. What is causing my
> concern it that my server is being reported as a source for serveral web
> based attack signatures to a host of unknown destinations. I have spent
> some time cleaning and rebuilding the server with no luck until I turned
> off Squid.

Could you please paste in copies of the warnings/alerts;log entries you are
seeing?

Also, have you done a packet capture manually on that port to see what is
going on?

It is about equally likely that snort is giving you a false positive as it is
that anything is wrong with squid...

Regards,

- Brian
--
gentoo-security@gentoo.org mailing list
Re: Snort alert with Squid ? [ In reply to ]
xyon at indigorobot
Nov 6, 2005, 1:40 PM
Post #3 of 4 (3045 views)
Permalink
I concur. Snort is a great program, but the false positives are many.
What are the errors that it is tripping? Many people have to
custom-tailor their snort rules (by disabling problem rules) to allow
legitimate traffic.

One thing that helps me is I have snort emerged with 'USE="flexresp
inline"', and then used oinkmaster to convert all my tcp alert rules to
drop. It helps a little in diagnosing false positives.



On Sun, 2005-11-06 at 11:21 -0600, Brian G. Peterson wrote:
> On Sunday 06 November 2005 10:03 am, aa6qn@aa6qn.sytes.net wrote:
> > I could use some help here. I have emerged Snort on my system here (along
> > with SnortSnarf) and have been watching the alerts. What is causing my
> > concern it that my server is being reported as a source for serveral web
> > based attack signatures to a host of unknown destinations. I have spent
> > some time cleaning and rebuilding the server with no luck until I turned
> > off Squid.
>
> Could you please paste in copies of the warnings/alerts;log entries you are
> seeing?
>
> Also, have you done a packet capture manually on that port to see what is
> going on?
>
> It is about equally likely that snort is giving you a false positive as it is
> that anything is wrong with squid...
>
> Regards,
>
> - Brian

--
gentoo-security@gentoo.org mailing list
Re: Snort alert with Squid ? [ In reply to ]
aa6qn at aa6qn
Nov 7, 2005, 6:45 AM
Post #4 of 4 (3089 views)
Permalink
Yesterday as a follow on, I unmerged the Gentoo Squid (2.5.11 Stable) and
installed Squid-3.0-PRE3-20051030 direct from Squid-cache.org. After that
my only trigger was a common false positive but no random web attacks as
produced by the Gentoo version.

I did record attemps from other Gentoo platforms (i.e.
raptor.gentoo.osuosl.org) that had the same attack signatures probing my
server.

I did save one alert log from the Gentoo Squid build and here are some clips:
----------------------------
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
***AP*** Seq: 0xB9ED7061 Ack: 0x1D930248 Win: 0x1BB4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 287314455 7254994
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1376][Xref =>
http:/
/www.securityfocus.com/bid/2252]

[**] [1:1288:8] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application]
[Priority:
2]
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
***AP*** Seq: 0xB9ED7061 Ack: 0x1D930248 Win: 0x1BB4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 287314455 7254994
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11032]

[**] [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
11/03-13:36:59.036747 192.168.1.12:36106 -> 130.191.143.18:443
TCP TTL:64 TOS:0x0 ID:44644 IpLen:20 DgmLen:489 DF
***AP*** Seq: 0xBBD22A6D Ack: 0xC6E36C0C Win: 0x2118 TcpLen: 32
TCP Options (3) => NOP NOP TS: 287348635 430347512
[Xref =>
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0719][Xref =>
http://www.securityfocus.com/bid/10116]

[**] [1:972:8] WEB-IIS %2E-asp access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
11/03-13:38:00.152634 192.168.1.12:36118 -> 63.93.242.137:80
TCP TTL:64 TOS:0x0 ID:35374 IpLen:20 DgmLen:829 DF
***AP*** Seq: 0xC0300C22 Ack: 0x156D63CD Win: 0x16D0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0253][Xref =>
http://www.securityfocus.com/bid/1814]

[**] [1:1564:6] WEB-MISC login.htm access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
11/03-18:02:09.890960 192.168.1.12:32790 -> 209.202.161.132:80
TCP TTL:64 TOS:0x0 ID:16648 IpLen:20 DgmLen:568 DF
***AP*** Seq: 0xB256AB50 Ack: 0x16654B17 Win: 0x16D0 TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1533][Xref =>
http://www.securityfocus.com/bid/665]

[**] [1:895:7] WEB-CGI redirect access [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/03-18:02:19.371472 192.168.1.12:32796 -> 207.46.225.221:80
TCP TTL:64 TOS:0x0 ID:40290 IpLen:20 DgmLen:525 DF
***AP*** Seq: 0xB3019639 Ack: 0x80329EEE Win: 0x6C0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 4294840274 7096916
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0382][Xref =>
http://www.securityfocus.com/bid/1179]

[**] [1:1333:6] WEB-ATTACKS id command attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:37:22.144594 192.168.1.12:33666 -> 63.208.226.65:80
TCP TTL:64 TOS:0x0 ID:61249 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0xDEBFB8B8 Ack: 0xDC15FDA0 Win: 0x16D0 TcpLen: 20

[**] [1:1112:6] WEB-MISC http directory traversal [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/03-21:43:43.650398 192.168.1.12:33728 -> 63.208.226.65:80
TCP TTL:64 TOS:0x0 ID:26729 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0xF4A1B938 Ack: 0xE9F492C2 Win: 0x16D0 TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS298]

[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:56:10.945244 192.168.1.12:33991 -> 208.254.3.160:80
TCP TTL:64 TOS:0x0 ID:56127 IpLen:20 DgmLen:679 DF
***AP*** Seq: 0x2581E951 Ack: 0xF243E594 Win: 0x5B4 TcpLen: 32
TCP Options (3) => NOP NOP TS: 13906685 185043937
[Xref => http://www.securityfocus.com/bid/2527]

[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:56:12.087098 192.168.1.12:33992 -> 66.179.5.89:80
TCP TTL:64 TOS:0x0 ID:14281 IpLen:20 DgmLen:980 DF
***AP*** Seq: 0x25AB00D1 Ack: 0x8BAB936F Win: 0x16D0 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2527]

There has been much more but that's is just some snips of the one alert
log that I did save. So far with the new Squid cache I do not get attack
signature triggers as with the Gentoo release.

I was trying Snortsam to control my iptables and have not really gotten it
to work. I will give the flexresp and oinkmaster suite a look. Thank you.

Best wishes, JohnF





--
gentoo-security@gentoo.org mailing list

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal