linuxsnortpenetration-testing

Snort signature explanation


SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder [Classification: Executable Code was Detected] [Priority: 1] {TCP} 192.168.202.50:60322 -> 192.168.22.252:445

1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) Which ip is the attacker?

2)Data on SYN packet [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.199.58:63000 -> 192.168.28.100:60000

1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) in which part of the snort architecture this alert came from?

3)SPYWARE-PUT Hacker-Tool timbuktu pro runtime detection - udp port 407 [Classification: Misc activity] [Priority: 3] {UDP} 192.168.199.58:59173 -> 192.168.22.201:407 1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) who is host and who is victim?

4) snort: [1:3815:6] SMTP eXchange POP3 mail server overflow attempt [Classification: Misc Attack] [Priority: 2] {TCP} 192.168.199.58:60327 -> 192.168.21.151:25 1) what does this alert mean? what is the signature is looking for? and if its get through what will happen? 2) who is host and who is attacker?

I have done a ton of searchers but could not understand or find any details information about those signature. please help


Solution

  • So, let me structure this in one Answer:

    1)

    2)

    3)

    4)

    But in all those cases, it seems 192.168.199.58 is probably exploited, or something from that box is probing the LAN network..

    I would also scan 192.168.199.50 and .58 to figure out who is on those boxes, any current connections from foreign addresses, that might have exploited these two boxes..