Problem with snort

#1 22nd September 2009, 08:16 PM

Hi, i am trying do a report of snort alert, in my alert i have:

09/22-15:53:53.580223 [**] [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} XXXXXXXX -> XXXXXXXX
09/22-15:54:01.099031 [**] [122:3:0] (portscan) TCP Portsweep [**] [Priority: 3] {PROTO:255} XXXXXXXX -> XXXXXXXX
09/22-15:54:13.251284 [**] [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} XXXXXXXX -> XXXXXXXX
09/22-15:54:20.111715 [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**] [Priority: 3] {TCP} XXXXXXXX -> 64.233.163.99:80
09/22-15:54:31.728951 [**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**] [Priority: 3] {TCP} XXXXXXXX:48039 -> 64.233.163.87:80
09/22-15:54:35.168202 [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] [Priority: 3] {TCP} XXXXXXXX:37979 -> 209.207.230.14:80
09/22-15:54:46.320918 [**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**] [Priority: 3] {TCP} XXXXXXXX:41998 -> 64.233.163.19:80
09/22-15:54:55.517970 [**] [122:3:0] (portscan) TCP Portsweep [**] [Priority: 3] {PROTO:255} XXXXXXXX -> 208.37.10.19
09/22-15:55:08.728967 [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] [Priority: 3] {TCP} XXXXXXXX:35411 -> 200.221.6.19:80
09/22-15:55:20.218956 [**] [122:1:0] (portscan) TCP Portscan [**] [Priority: 3] {PROTO:255} 64.233.163.189 -> XXXXXXXX
09/22-15:55:38.995693 [**] [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 216.177.210.215 -> XXXXXXXX
09/22-15:55:57.923854 [**] [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 216.177.210.215 -> XXXXXXXX
09/22-15:56:00.246121 [**] [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 216.177.210.215 -> XXXXXXXX
09/22-15:56:06.809971 [**] [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 216.177.210.215 -> XXXXXXXX
09/22-15:56:11.082945 [**] [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 216.177.210.215 -> XXXXXXXX
09/22-15:56:11.383833 [**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**] [Priority: 3] {TCP} XXXXXXXX:48800 -> 64.233.163.147:80
09/22-15:56:12.998569 [**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**] [Priority: 3] {TCP} XXXXXXXX:40767 -> 64.233.163.104:80
09/22-15:56:18.918671 [**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**] [Priority: 3] {TCP} XXXXXXXX:35771 -> 64.233.163.103:80
09/22-15:56:22.565546 [**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**] [Priority: 3] {TCP} XXXXXXXX:55497 -> 64.233.163.99:80
09/22-15:56:25.462989 [**] [1:486:5] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 216.177.210.215 -> XXXXXXXX
09/22-15:56:31.778984 [**] [122:3:0] (portscan) TCP Portsweep [**] [Priority: 3] {PROTO:255} XXXXXXXX -> 207.228.216.165

When i run the snortalog ( # cat /var/log/snort/alert | /usr/local/snortalog/snortalog.pl -r -g -i -o /var/www/html/snort/index.html -report ) and view the page, dont appear anything, only the number of packages, no one graphs, why ? In my snort.conf i only change the HOME_NET and EXTERNAL_NET.

live11 · #2 26th December 2009, 03:24 PM

Quote:

Originally Posted by brunoadm

. . . ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} XXXXXXXX -> XXXXXXXX

I am about to try the snort utility - for the first time - in about 15 mins when our law library opens up - all to "uncover" a destination MAC address (from my currently unbootable Mobile AMD 64 cpu and trying to do a LAN diskless boot)
all to rescue files on this laptop client destination ( ifconfig, as far as I know how to use, only can give the source host MAC address needed for the LAN boot).

I may just run into the same administratively prohibited message . . .
but feel I won't from my server side - as I am booting my own F11 Live on a USB drive on the university computer -
thus outside and around the "administrative privileges prohibited" Windows OS and hard drive.

But I find it is interesting in my early learning curve of snort that it even has that sort of error message - I thought it could "sniff" out all (virtually all) network traffic.
Maybe - as a newbie suggestion - is there either some switch / option needed in the command ?
- or - do any experts out there know if dsniff is better for these types of situations.