ONLINE-EXTRA CONTENT

Defending Networks with Intrusion Detection Systems

By Jose Maria Gonzalez

Sample attack data

[**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**]

[Classification: Misc activity] [Priority: 3]

02/04-13:00:19.837833 172.168.1.0/24 -> 192.168.1.0/24

ICMP TTL:118 TOS:0x0 ID:12687 IpLen:20 DgmLen:92

Type:8 Code:0 ID:512 Seq:57484 ECHO

[Xref =>

[**] [1:2003:2] MS-SQL Worm propagation attempt [**]

[Classification: Misc Attack] [Priority: 2]

02/04-13:07:04.007822 172.168.1.0/24:2753 -> 192.168.1.0/24:1434

UDP TTL:111 TOS:0x0 ID:665 IpLen:20 DgmLen:404

Len: 376

[Xref => => =>

[**] [112:1:1] (spp_arpspoof) Unicast ARP request [**]

02/04-13:34:10.848523

[**] [111:2:1] (spp_stream4) possible EVASIVE RST detection [**]

02/04-13:43:45.287900 172.168.1.0/24:35704 -> 192.168.1.0/24:135

TCP TTL:15 TOS:0x0 ID:0 IpLen:20 DgmLen:43

***A*R** Seq: 0x0 Ack: 0x0 Win: 0x0 TcpLen: 20

[**] [119:12:1] (http_inspect) APACHE WHITESPACE (TAB) [**]

02/04-13:49:28.028102 172.168.1.0/24:49973 -> 192.168.1.0/24:80

TCP TTL:43 TOS:0x0 ID:3738 IpLen:20 DgmLen:1420 DF

***A*R** Seq: 0x517F0E61 Ack: 0x5913BF36 Win: 0x7BFC TcpLen: 20

[**] [111:17:1] (spp_stream4) TCP TOO FAST RETRANSMISSION WITH DIFFERENT DATA SIZE (possible fragroute) detection [**]

02/04-13:49:43.918191 172.168.1.0/24:50046 -> 192.168.1.0/24:80

TCP TTL:43 TOS:0x0 ID:14874 IpLen:20 DgmLen:1204 DF

***A*R** Seq: 0x3ADF9942 Ack: 0x6723D51E Win: 0x7BFC TcpLen: 20

[**] [111:16:1] (spp_stream4) TCP CHECKSUM CHANGED ON RETRANSMISSION (possible fragroute) detection [**]

02/04-13:55:41.158090 172.168.1.0/24:50598 -> 192.168.1.0/24:80

TCP TTL:50 TOS:0x0 ID:59039 IpLen:20 DgmLen:1420 DF

***A*R** Seq: 0x72D92F9D Ack: 0x8BE49CA1 Win: 0x3F67 TcpLen: 20

[**] [1:469:1] ICMP PING NMAP [**]

[Classification: Attempted Information Leak] [Priority: 2]

02/04-14:00:44.077813 172.168.1.0/24 -> 192.168.1.0/24

ICMP TTL:245 TOS:0x0 ID:40032 IpLen:20 DgmLen:28

Type:8 Code:0 ID:768 Seq:565 ECHO

[Xref =>

[**] [1:2003:2] MS-SQL Worm propagation attempt [**]

[Classification: Misc Attack] [Priority: 2]

02/04-14:14:56.297813 172.168.1.0/24:3264 -> 192.168.1.0/24:1434

UDP TTL:108 TOS:0x0 ID:51795 IpLen:20 DgmLen:404

Len: 376

[Xref => => =>

[**] [1:1149:9] WEB-CGI count.cgi access [**]

[Classification: access to a potentially vulnerable web application] [Priority: 2]

02/04-15:50:37.339193 172.168.1.0/24:50863 -> 192.168.1.0/24:80

TCP TTL:128 TOS:0x0 ID:20578 IpLen:20 DgmLen:502 DF

***AP*** Seq: 0x18E14DF8 Ack: 0x15F575B3 Win: 0xFC00 TcpLen: 20

[Xref =>
[Xref =>
CVE-1999-0021][Xref =>

[**] [1:1413:2] SNMP private access udp [**]

[Classification: Attempted Information Leak] [Priority: 2]

02/04-17:00:27.017884 172.168.1.0/24:38523 -> 192.168.1.0/24:161

UDP TTL:55 TOS:0x0 ID:33923 IpLen:20 DgmLen:70 DF

Len: 42

[Xref =>
CAN-2002-0013][Xref =>
cvename.cgi?name=CAN-2002-0012]

[**] [1:1417:2] SNMP request udp [**]

[Classification: Attempted Information Leak] [Priority: 2]

02/04-17:00:27.018405 172.168.1.0/24:38525 -> 192.168.1.0/24:161

UDP TTL:55 TOS:0x0 ID:33923 IpLen:20 DgmLen:67 DF

Len: 39

[Xref =>
CAN-2002-0013][Xref =>
cvename.cgi?name=CAN-2002-0012]

[**] [1:620:5] SCAN Proxy Port 8080 attempt [**]

[Classification: Attempted Information Leak] [Priority: 2]

02/04-17:01:57.957803 172.168.1.0/24:57619 -> 192.168.1.0/24:8080

TCP TTL:55 TOS:0x0 ID:22607 IpLen:20 DgmLen:60 DF

******S* Seq: 0xA3A3F047 Ack: 0x0 Win: 0x16D0 TcpLen: 40

TCP Options (5) => MSS: 1460 SackOK TS: 397453320 0 NOP WS: 0

[**] [1:2049:1] MS-SQL ping attempt [**]

[Classification: Misc activity] [Priority: 3]

02/04-17:02:10.577703 172.168.1.0/24:41991 -> 192.168.1.0/24:1434

UDP TTL:55 TOS:0x0 ID:43977 IpLen:20 DgmLen:29 DF

Len: 1

[Xref =>

[**] [1:1616:4] DNS named version attempt [**]

[Classification: Attempted Information Leak] [Priority: 2]

02/04-17:02:44.687917 172.168.1.0/24:41995 -> 192.168.1.0/24:53

UDP TTL:55 TOS:0x0 ID:47690 IpLen:20 DgmLen:58 DF

Len: 30

[Xref => =>

[**] [1:524:6] BAD-TRAFFIC tcp port 0 traffic [**]

[Classification: Misc activity] [Priority: 3]

02/04-17:03:37.397808 172.168.1.0/24:58422 -> 192.168.1.0/24:0

TCP TTL:55 TOS:0x0 ID:55667 IpLen:20 DgmLen:60 DF

******S* Seq: 0xA97A1792 Ack: 0x0 Win: 0x16D0 TcpLen: 40

TCP Options (5) => MSS: 1460 SackOK TS: 397463265 0 NOP WS: 0

[**] [1:1867:1] MISC xdmcp info query [**]

[Classification: Attempted Information Leak] [Priority: 2]

02/04-17:04:00.807816 172.168.1.0/24:42001 -> 192.168.1.0/24:177

UDP TTL:55 TOS:0x0 ID:55300 IpLen:20 DgmLen:36 DF

Len: 8

[Xref =>

[**] [1:1893:1] SNMP missing community string attempt [**]

[Classification: Misc Attack] [Priority: 2]

02/04-17:04:11.687820 172.168.1.0/24:42002 -> 192.168.1.0/24:161

UDP TTL:55 TOS:0x0 ID:56390 IpLen:20 DgmLen:70 DF

Len: 42

[Xref =>
CAN-1999-0517]

[**] [111:9:1] (spp_stream4) STEALTH ACTIVITY (NULL scan) detection [**]

02/04-17:07:57.017823 172.168.1.0/24:137 -> 192.168.1.0/24:137

TCP TTL:244 TOS:0x0 ID:47626 IpLen:20 DgmLen:40

******** Seq: 0xF1C Ack: 0x0 Win: 0x200 TcpLen: 20

[**] [1:1384:3] MISC UPnP malformed advertisement [**]

[Classification: Misc Attack] [Priority: 2]

02/04-17:12:33.167839 172.168.1.0/24:1900 -> 192.168.1.0/24:1900

UDP TTL:55 TOS:0x0 ID:27002 IpLen:20 DgmLen:282

Len: 254

[Xref =>
CAN-2001-0877][Xref =>
cvename.cgi?name=CAN-2001-0876]

[**] [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5! [**]

02/04-17:12:33.168303 172.168.1.0/24:0 -> 192.168.1.0/24:0

TCP TTL:55 TOS:0x0 ID:27258 IpLen:20 DgmLen:40

*****R** Seq: 0xF90 Ack: 0x0 Win: 0x2000 TcpLen: 0

[**] [1:1384:3] MISC UPnP malformed advertisement [**]

[Classification: Misc Attack] [Priority: 2]

02/04-17:12:34.227892 172.168.1.0/24:1900 -> 192.168.1.0/24:1900

UDP TTL:55 TOS:0x0 ID:27002 IpLen:20 DgmLen:282

Len: 254

[Xref =>
CAN-2001-0877][Xref =>
cvename.cgi?name=CAN-2001-0876]

[**] [1:634:2] SCAN Amanda client version request [**]

[Classification: Attempted Information Leak] [Priority: 2]

02/04-17:24:38.567703 172.168.1.0/24:42214 -> 192.168.1.0/24:10080

UDP TTL:55 TOS:0x0 ID:48007 IpLen:20 DgmLen:97 DF

Len: 69

[**] [105:1:1] spp_bo: Back Orifice Traffic detected (key: 31337) [**]

02/04-17:48:31.487823 172.168.1.0/24:42906 -> 192.168.1.0/24:31337

UDP TTL:55 TOS:0x0 ID:59626 IpLen:20 DgmLen:46 DF

Len: 18

[**] [1:236:3] DDOS Stacheldraht client check gag [**]

[Classification: Attempted Denial of Service] [Priority: 2]

02/04-17:51:12.167810 172.168.1.0/24 -> 192.168.1.0/24

ICMP TTL:55 TOS:0x0 ID:13330 IpLen:20 DgmLen:39

Type:0 Code:0 ID:668 Seq:0 ECHO REPLY

[Xref =>

[**] [1:239:1] DDOS shaft handler to agent [**]

[Classification: Attempted Denial of Service] [Priority: 2]

02/04-17:54:33.387701 172.168.1.0/24:1024 -> 192.168.1.0/24:18753

UDP TTL:244 TOS:0x0 ID:2304 IpLen:20 DgmLen:49

Len: 21

[Xref =>