Thread Info
  • State Not Answered
  • Replies 8 replies
  • Subscribers 0 subscribers
  • Views 2476 views
  • Users 0 members are here
Options
Suggested

Top blocked attacks

Dave Packham
is always blank?   i have it enabled and have run scans and attacks against it but it always shows blank?

what can I troubleshoot?

Dave P
Parents
  • 0
    Hi,

    i can´t reproduce it. Are you sure that your attacks were not fetched by the packetfilter?
    If you are unsure attack your victim again and look in the ips.log whether the asg will log something or not.

    Greetz

    Florijan
  • 0 in reply to fhamzic
    2008:05:16-10:07:58 (none) barnyard[5348]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="216.2.2.2" dstip="74.2.2.2" proto="6" srcport="38000" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid="1"
    2008:05:16-10:08:31 (none) barnyard[5348]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="216.2.22" dstip="74.2.2.2" proto="6" srcport="38165" dstport="80" sid="0" class="Unknown" priority="3" generator="119" msgid=
  • 0 in reply to Dave Packham
    Hi Dave,

    I have logged a similar complaint in another thread. Under I think the last 3 betas there hasn't anything reported in the graphs for attacks or attempted attacks.


    Ian M
  • 0 in reply to RFCat_vk_01
    Hi,
    good you added some log lines, this makes debugging a lot easier. Snort ID (sid) == 0 and group == 0 indicate a preprocessor alert. Since pre-V7, preprocessor alerts are ignored by the reporting because preprocessors are very noisy and seldom contain useful information.

    Cheers,
     andreas
  • 0 in reply to andreas
    Hi,
    IPS log extract.

    2008:05:17-22:43:27 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="40992" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-22:48:02 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="38571" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-22:48:02 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="38578" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-23:08:00 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="210.84.42.26" dstip="69.12.23.234" proto="6" srcport="45902" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-23:09:08 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="203.206.138.146" proto="6" srcport="55242" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-23:16:11 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="207.46.19.254" proto="6" srcport="58937" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"

    I can't actually prove that these relate to the entries in the daily report because none of these have the IP address shown in the daily report. There are 2 entires earlier in the log that might be of interest as well, but they also don't have the IP address shown in the report.

    Ian M

    Put it in the wrong thread.
Reply
  • 0 in reply to andreas
    Hi,
    IPS log extract.

    2008:05:17-22:43:27 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="40992" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-22:48:02 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="38571" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-22:48:02 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="12.129.200.195" proto="6" srcport="38578" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-23:08:00 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: OVERSIZE REQUEST-URI DIRECTORY" group="0" srcip="210.84.42.26" dstip="69.12.23.234" proto="6" srcport="45902" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-23:09:08 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="203.206.138.146" proto="6" srcport="55242" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"
    2008:05:17-23:16:11 (none) barnyard[26305]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="alert" reason="http_inspect: DOUBLE DECODING ATTACK" group="0" srcip="210.84.42.26" dstip="207.46.19.254" proto="6" srcport="58937" dstport="80" sid="0" class="Unknown" priority="3"  generator="119" msgid="1"

    I can't actually prove that these relate to the entries in the daily report because none of these have the IP address shown in the daily report. There are 2 entires earlier in the log that might be of interest as well, but they also don't have the IP address shown in the report.

    Ian M

    Put it in the wrong thread.
Children
Unfiltered HTML