Re: how do i read this IDS log?

From: Rino Mardo (joroxx_at_gmail.com)
Date: 11/30/04

  • Next message: Philip Wagenaar: "Betr.: RE: "Secure" Web Hosting?" 
    Date: Tue, 30 Nov 2004 08:17:22 +0300
To: security-basics@securityfocus.com

    could be an SNMP scan or just plain traffic? unfortunately after
    running my scanner for a month that's all i got. maybe i need to set
    my scanner to be more aggresive than the default settings.

    thanks to all who replied.

    On Mon, 29 Nov 2004 16:07:42 -0800, Don Parker
    <dparker@bridonsecurity.com> wrote:
    > Hello there,
    >
    > Well the source port will remain the same whilst it does the scan. It will change
    > however as noted below once a new scan is perfromed ie: the computer hands off
    > this scan on a new epehmeral port as it should. Beyond there is nothing
    > remarkable in the packet headers listed below.
    >
    > ttl of 128: obviously coming from and aimed to your internal network
    > TOS:0x0 this field is pretty much always set to 0
    > ID:1998 this is the ip id number
    > IpLen:20 this is the length of your IP header
    > DgmLen:265 this is the overall datagram length which makes sense as follows;
    > 20 bytes for the IP header
    > 8 bytes for the UDP header
    > 237 bytes of data
    > total bytes of 265
    > Len: 237 this is the amount of data bytes
    >
    > I am unfamiliar with the tool you are using to scan for your community strings
    > and the such so I won't comment on it.
    >
    > Hope this helps,
    >
    > Don
    >
    > --------------------------------------------------------------
    > Don Parker, GCIA GCIH
    > Intrusion Detection & Incident Handling Specialist
    > Bridon Security & Training Services
    > http://www.bridonsecurity.com
    > voice: 1-613-302-2910
    > --------------------------------------------------------------
    >
    > >> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    >
    >
    > >>
    > >> 11/22-10:19:32.187608 xx.xx.xx.xx:1630 -> 255.255.255.255:161
    > >> UDP TTL:128 TOS:0x0 ID:1998 IpLen:20 DgmLen:265
    > >> Len: 237
    > >> 30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81 0.......public..
    > >> DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06 ..........0..0..
    > >> 07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06 .+........0...+.
    > >> 01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01 .......0...+....
    > >> 01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01 ....0...+.......
    > >> 06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01 ...0...+........
    > >> 05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03 ..0...+.........
    > >> 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01 ..0...+.........
    > >> 01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 ....0...+.......
    > >> 09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B ......0...+.....
    > >> 02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04 ........0...+...
    > >> 01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06 ..........0...+.
    > >> 01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B ...........0...+
    > >> 06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B ............0...
    > >> 2B 06 01 04 01 0B 02 04 03 0D 01 05 00 +............
    > >>
    > >> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    > >>
    > >> 11/22-10:19:32.891551 xx.xx.xx.xx:1630 -> 255.255.255.255:161
    > >> UDP TTL:128 TOS:0x0 ID:2146 IpLen:20 DgmLen:267
    > >> Len: 239
    > >> 30 81 EC 02 01 00 04 08 69 6E 74 65 72 6E 61 6C 0.......internal
    > >> A1 81 DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 ............0..0
    > >> 0B 06 07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 ...+........0...
    > >> 2B 06 01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 +........0...+..
    > >> 02 01 01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 ......0...+.....
    > >> 02 01 06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 .....0...+......
    > >> 01 01 05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 ....0...+.......
    > >> 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 ....0...+.......
    > >> 09 01 01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B ......0...+.....
    > >> 02 03 09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 ........0...+...
    > >> 01 0B 02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 ..........0...+.
    > >> 01 04 01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B ............0...
    > >> 2B 06 01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 +............0..
    > >> 0B 2B 06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F .+............0.
    > >> 06 0B 2B 06 01 04 01 0B 02 04 03 0D 01 05 00 ..+............
    > >>
    > >> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    > >>
    > >> 11/22-10:19:33.357811 xx.xx.xx.xx:1630 -> 255.255.255.255:161
    > >> UDP TTL:128 TOS:0x0 ID:2184 IpLen:20 DgmLen:265
    > >> Len: 237
    > >> 30 81 EA 02 01 00 04 06 70 75 62 6C 69 63 A1 81 0.......public..
    > >> DC 02 01 00 02 01 00 02 01 00 30 81 D0 30 0B 06 ..........0..0..
    > >> 07 2B 06 01 02 01 01 01 05 00 30 0B 06 07 2B 06 .+........0...+.
    > >> 01 02 01 01 03 05 00 30 0B 06 07 2B 06 01 02 01 .......0...+....
    > >> 01 05 05 00 30 0D 06 09 2B 06 01 02 01 02 02 01 ....0...+.......
    > >> 06 05 00 30 0D 06 09 2B 06 01 02 01 04 14 01 01 ...0...+........
    > >> 05 00 30 0E 06 0A 2B 06 01 02 01 19 03 02 01 03 ..0...+.........
    > >> 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 09 01 ..0...+.........
    > >> 01 07 05 00 30 10 06 0C 2B 06 01 04 01 0B 02 03 ....0...+.......
    > >> 09 05 01 03 05 00 30 10 06 0C 2B 06 01 04 01 0B ......0...+.....
    > >> 02 04 03 08 03 02 05 00 30 10 06 0C 2B 06 01 04 ........0...+...
    > >> 01 0B 02 04 03 08 03 03 05 00 30 0F 06 0B 2B 06 ..........0...+.
    > >> 01 04 01 0B 02 04 03 0A 07 05 00 30 0F 06 0B 2B ...........0...+
    > >> 06 01 04 01 0B 02 04 03 0A 0D 05 00 30 0F 06 0B ............0...
    > >> 2B 06 01 04 01 0B 02 04 03 0D 01 05 00 +............
    >
    > <snip for b/w>
    >
    > 

    -- 
"Every morning, I get up and look through the 'Forbes' list of the
richest people in America.  If I'm not there, I go to work"
	-- Robert Orben
  • Next message: Philip Wagenaar: "Betr.: RE: "Secure" Web Hosting?"