ciao, poco tempo fa mi � stato bucato un server... non potendo reinstallarlo, almeno per il momento, volevo trovare un mdo per tappare i vari buchi. Ho installato snort oggi e questo � il primo risultato:
Premetto che 192.168.3.9 � la macchina in questione.. tutte le alre sono cmq locali... domani capir� quali... grazie esempio /var/log/snort/alert [**] [1:648:4] SHELLCODE x86 NOOP [**] [Classification: Executable code was detected] [Priority: 1] 11/05-20:15:24.333343 192.168.3.175:1026 -> 192.168.3.9:139 TCP TTL:128 TOS:0x0 ID:5512 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xBAB0515D Ack: 0x8C180816 Win: 0x43A1 TcpLen: 20 [Xref => http://www.whitehats.com/info/IDS181] snort-stat The log begins from: 11 05 16:58:30 The log ends at: 11 05 20:15:24 Total events: 88 Signatures recorded: 8 Source IP recorded: 6 Destination IP recorded: 3 Portscan recorded: 4 The number of attacks from same host to same destination using same method ========================================================================= # of attacks from to method ========================================================================= 59 192.168.3.175 192.168.3.9 SHELLCODE x86 NOOP 10 192.168.3.254 192.168.3.9 WEB-CGI calendar access 9 192.168.3.128 192.168.3.9 ICMP Destination Unreachable (Port Unreachable) 2 192.168.3.9 192.168.3.128 ICMP Echo Reply 2 192.168.3.154 192.168.3.9 NETBIOS Samba clientaccess 2 192.168.3.9 192.168.3.148 ICMP Echo Reply 2 192.168.3.128 192.168.3.9 ICMP PING *NIX 1 192.168.3.148 192.168.3.9 ICMP PING NMAP 1 192.168.3.148 192.168.3.9 ICMP L3retriever Ping Percentage and number of attacks from a host to a destination ============================================================ # of % attacks from to ============================================================ 67.05 59 192.168.3.175 192.168.3.9 12.50 11 192.168.3.128 192.168.3.9 11.36 10 192.168.3.254 192.168.3.9 2.27 2 192.168.3.148 192.168.3.9 2.27 2 192.168.3.9 192.168.3.128 2.27 2 192.168.3.9 192.168.3.148 2.27 2 192.168.3.154 192.168.3.9 Percentage and number of attacks from one host to any with same method ============================================================== # of % attacks from method ============================================================== 67.05 59 192.168.3.175 SHELLCODE x86 NOOP 11.36 10 192.168.3.254 WEB-CGI calendar access 10.23 9 192.168.3.128 ICMP Destination Unreachable (Port Unreachable) 4.55 4 192.168.3.9 ICMP Echo Reply 2.27 2 192.168.3.128 ICMP PING *NIX 2.27 2 192.168.3.154 NETBIOS Samba clientaccess 1.14 1 192.168.3.148 ICMP L3retriever Ping 1.14 1 192.168.3.148 ICMP PING NMAP Percentage and number of attacks to one certain host ================================================================= # of % attacks to method ================================================================= 67.05 59 192.168.3.9 SHELLCODE x86 NOOP 11.36 10 192.168.3.9 WEB-CGI calendar access 10.23 9 192.168.3.9 ICMP Destination Unreachable (Port Unreachable) 2.27 2 192.168.3.9 ICMP PING *NIX 2.27 2 192.168.3.128 ICMP Echo Reply 2.27 2 192.168.3.148 ICMP Echo Reply 2.27 2 192.168.3.9 NETBIOS Samba clientaccess 1.14 1 192.168.3.9 ICMP L3retriever Ping 1.14 1 192.168.3.9 ICMP PING NMAP The distribution of attack methods =============================================== # of % attacks method =============================================== 67.05 59 SHELLCODE x86 NOOP 59 192.168.3.175 -> 192.168.3.9 11.36 10 WEB-CGI calendar access 10 192.168.3.254 -> 192.168.3.9 10.23 9 ICMP Destination Unreachable (Port Unreachable) 9 192.168.3.128 -> 192.168.3.9 4.55 4 ICMP Echo Reply 2 192.168.3.9 -> 192.168.3.128 2 192.168.3.9 -> 192.168.3.148 2.27 2 NETBIOS Samba clientaccess 2 192.168.3.154 -> 192.168.3.9 2.27 2 ICMP PING *NIX 2 192.168.3.128 -> 192.168.3.9 1.14 1 ICMP PING NMAP 1 192.168.3.148 -> 192.168.3.9 1.14 1 ICMP L3retriever Ping 1 192.168.3.148 -> 192.168.3.9 Portscans performed to/from HOME_NET =================================== # of attacks from =================================== 4 192.168.3.9 -- La teoria e' quando si sa tutto ma non funziona niente. La pratica e' quando funziona tutto ma non si sa il perche'. In ogni caso si finisce sempre a coniugare la teoria con la pratica : non funziona niente e non si sa il perche'. Albert Einstein
