Ola a todos,
Tenho o relatorio de segurança do Snort - alert, e o
syslog - messages, sobre possível invasão do servidor.
Algumas informações (para um leigo) ja conheço e
coloco abaixo, porém na mesma linha possui outras
informações que desconheço, se puderem descreve-las ou
indicar uma leitura detalhada do mesmo, agradeço.
Obrigado.
bk
#################################################################
# #
# ALERT - SNORT #
# #
#################################################################
#
0/21-21:09:22.735829 [**] [121:4:1] Portscan detected
from 200.xxx.xxx.xxx Talker(fixed: 14 sliding: 30)
Scanner(fixed: 0 sliding: 0) [**]
10/21-22:29:47.361791 [**] [119:4:1] (http_inspect)
BARE BYTE UNICODE ENCODING [**] {TCP}
200.xxx.xxx.xxx:3018 -> 64.233.171.85:80
10/21-22:30:22.984057 [**] [119:15:1] (http_inspect)
OVERSIZE REQUEST-URI DIRECTORY [**] {TCP}
200.xxx.xxx.xxx:3034 -> 64.233.171.85:80
10/21-22:30:23.135761 [**] [119:4:1] (http_inspect)
BARE BYTE UNICODE ENCODING [**] {TCP}
200.xxx.xxx.xxx:3034 -> 64.233.171.85:80
10/21-22:33:35.745612 [**] [119:15:1] (http_inspect)
OVERSIZE REQUEST-URI DIRECTORY [**] {TCP}
200.xxx.xxx.xxx:3039 -> 64.233.171.85:80
10/21-23:13:01.043959 [**] [119:7:1] (http_inspect)
IIS UNICODE CODEPOINT ENCODING [**] {TCP}
200.xxx.xxx.xxx:3176 -> 64.233.171.86:80
10/21-23:13:40.854902 [**] [1:486:4] ICMP Destination
Unreachable Communication with Destination Host is
Administratively Prohibited [**] [Classification: Misc
activity] [Priority: 3] {ICMP} 200.xxx.xxx.xxx ->
207.68.178.16
10/21-23:15:07.850146 [**] [119:7:1] (http_inspect)
IIS UNICODE CODEPOINT ENCODING [**] {TCP}
200.xxx.xxx.xxx:3180 -> 64.233.171.86:80
10/21-23:25:18.387582 [**] [121:4:1] Portscan
detected from 200.xxx.xxx.xxx Talker(fixed: 30
sliding: 21) Scanner(fixed: 0 sliding: 0) [**]
10/21-23:30:51.067555 [**] [119:4:1] (http_inspect)
BARE BYTE UNICODE ENCODING [**] {TCP}
200.xxx.xxx.xxx:3315 -> 64.233.171.86:80
10/21-23:55:36.537326 [**] [119:4:1] (http_inspect)
BARE BYTE UNICODE ENCODING [**] {TCP}
200.xxx.xxx.xxx:3435 -> 216.239.37.86:80
10/22-00:33:37.023326 [**] [121:4:1] Portscan
detected from 200.176.3.221 Talker(fixed: 30 sliding:
30) Scanner(fixed: 0 sliding: 0) [**]
10/22-00:46:23.637240 [**] [121:4:1] Portscan
detected from 200.176.3.142 Talker(fixed: 30 sliding:
30) Scanner(fixed: 0 sliding: 0) [**]
#########################################################################
# #
# MESSAGES #
# #
#########################################################################
#
Oct 22 01:43:40 barkaservidor kernel: Pacote INPUT
descartado: IN=eth0 OUT=
MAC=00:01:03:dc:69:70:00:04:28:27:78:54:08:00
SRC=193.1.193.64 DST=200.212.227.32 LEN=52 TOS=0x00
PREC=0x20 TTL=48 ID=697 DF PROTO=TCP SPT=80 DPT=41831
WINDOW=149 RES=0x00 ACK URGP=0
Oct 22 01:43:43 barkaservidor dhclient: DHCPREQUEST on
eth0 to 192.168.150.21 port 67
Oct 22 01:44:15 barkaservidor last message repeated 2
times
Oct 22 01:44:54 barkaservidor last message repeated 3
times
Oct 22 01:45:03 barkaservidor kernel: ip_tables: (C)
2000-2002 Netfilter core team
Oct 22 01:45:03 barkaservidor kernel: ip_conntrack
version 2.1 (3839 buckets, 30712 max) - 272 bytes per
conntrack
Oct 22 01:45:15 barkaservidor dhclient: DHCPREQUEST on
eth0 to 192.168.150.21 port 67
Oct 22 01:46:02 barkaservidor last message repeated 3
times
Oct 22 01:47:16 barkaservidor last message repeated 4
times
Oct 22 01:48:07 barkaservidor last message repeated 5
times
Oct 22 01:48:16 barkaservidor dhclient: DHCPREQUEST on
eth0 to 255.255.255.255 port 67
Oct 22 01:48:16 barkaservidor dhclient: DHCPACK from
10.150.0.1
Oct 22 01:48:16 barkaservidor dhclient: bound to
200.212.227.32 -- renewal in 291 seconds.
_______________________________________________________
Promoção Yahoo! Acesso Grátis: a cada hora navegada você acumula cupons e
concorre a mais de 500 prêmios! Participe! http://yahoo.fbiz.com.br/
---------------------------------------------------------------------------
Esta lista é patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br
Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br
Regras de utilização da lista: http://linux-br.conectiva.com.br
FAQ: http://www.zago.eti.br/menu.html
