Jump to content

Snort Firewall Logs


Optics

Recommended Posts

Hey guys,

I've been having attempts every single night from Chinese IP's. Would only be one or two tries. But earlier, I got a bunch from Russian IP addresses. Any idea why I got such an influx of attacks? Anyone else seeing similar attacks?

My PfSense box is set not to respond to ping, and all ports appear closed from the WAN side. All attackers get blocked by snort automatically.

Thanks,

Optics

Here's the log:

[**] [1:2406699:140] ET RBN Known Russian Business Network IP UDP (350) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:17.039841 92.241.185.14:27016 -> 192.168.1.199:13495
UDP TTL:48 TOS:0x0 ID:30215 IpLen:20 DgmLen:120 DF
Len: 92
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406699:140] ET RBN Known Russian Business Network IP UDP (350) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:17.039761 92.241.185.14:27016 -> xxx.xxx.xxx.xxx:58769
[**] [1:2406699:140] ET RBN Known Russian Business Network IP UDP (350) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:17.132641 92.241.167.16:27015 -> 192.168.1.199:13495
UDP TTL:48 TOS:0x0 ID:18702 IpLen:20 DgmLen:126 DF
Len: 98
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

UDP TTL:49 TOS:0x0 ID:0 IpLen:20 DgmLen:120 DF
Len: 92
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406699:140] ET RBN Known Russian Business Network IP UDP (350) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:17.132529 92.241.167.16:27015 -> xxx.xxx.xxx.xxx:51648
UDP TTL:49 TOS:0x0 ID:0 IpLen:20 DgmLen:126 DF
Len: 98
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:18.114122 92.48.203.27:27015 -> 192.168.1.199:13495
UDP TTL:113 TOS:0x0 ID:47138 IpLen:20 DgmLen:142
Len: 114
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
[Classification: Misc Attack] [Priority: 2] 
[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
07/11-18:52:18.113929 92.48.203.27:27015 -> xxx.xxx.xxx.xxx:53229
[Classification: Misc Attack] [Priority: 2] 
UDP TTL:114 TOS:0x0 ID:26315 IpLen:20 DgmLen:142
07/11-18:52:18.132478 92.48.195.206:27016 -> 192.168.1.199:13495
Len: 114
UDP TTL:114 TOS:0x0 ID:33608 IpLen:20 DgmLen:134
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]
Len: 106

[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
[Classification: Misc Attack] [Priority: 2] 
[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
07/11-18:52:18.132339 92.48.195.206:27016 -> xxx.xxx.xxx.xxx:52772
[Classification: Misc Attack] [Priority: 2] 
UDP TTL:115 TOS:0x0 ID:3012 IpLen:20 DgmLen:134
07/11-18:52:18.162915 92.48.195.68:28099 -> 192.168.1.199:13495
Len: 106
UDP TTL:113 TOS:0x0 ID:37722 IpLen:20 DgmLen:141 DF
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]
Len: 113

[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:18.162725 92.48.195.68:28099 -> xxx.xxx.xxx.xxx:63936
UDP TTL:114 TOS:0x0 ID:27174 IpLen:20 DgmLen:141 DF
Len: 113
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406707:140] ET RBN Known Russian Business Network IP UDP (354) [**]
[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:18.375513 92.62.98.46:27015 -> xxx.xxx.xxx.xxx:61817
UDP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:133 DF
[Classification: Misc Attack] [Priority: 2] 
Len: 105
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

07/11-18:52:18.316675 92.48.195.205:27015 -> 192.168.1.199:13495
[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
UDP TTL:114 TOS:0x0 ID:789 IpLen:20 DgmLen:133
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:18.408724 92.48.195.205:27017 -> xxx.xxx.xxx.xxx:60129
UDP TTL:115 TOS:0x0 ID:3964 IpLen:20 DgmLen:131
Len: 105
Len: 103
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]


[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
[Classification: Misc Attack] [Priority: 2] 
[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:18.473916 92.48.194.210:27025 -> xxx.xxx.xxx.xxx:53214
UDP TTL:51 TOS:0x0 ID:0 IpLen:20 DgmLen:153 DF
Len: 125
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

07/11-18:52:18.541733 92.48.203.28:27015 -> 192.168.1.199:13495
[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
UDP TTL:113 TOS:0x0 ID:49682 IpLen:20 DgmLen:159
[Classification: Misc Attack] [Priority: 2] 
Len: 131
07/11-18:52:18.541637 92.48.203.28:27015 -> xxx.xxx.xxx.xxx:53016
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]
UDP TTL:114 TOS:0x0 ID:26805 IpLen:20 DgmLen:159

Len: 131
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [122:22:0] (portscan) UDP Filtered Decoy Portscan [**]
[Priority: 3] 
07/11-18:52:20.220442 193.192.59.192 -> xxx.xxx.xxx.xxx
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:171 DF

[**] [1:2406045:140] ET RBN Known Russian Business Network IP UDP (23) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:26.737303 195.161.4.58:27015 -> 192.168.1.199:13495
[**] [1:2406045:140] ET RBN Known Russian Business Network IP UDP (23) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:26.892837 195.161.4.58:2009 -> xxx.xxx.xxx.xxx:50763
UDP TTL:51 TOS:0x0 ID:0 IpLen:20 DgmLen:122 DF
Len: 94
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

UDP TTL:50 TOS:0x0 ID:63368 IpLen:20 DgmLen:118 DF
Len: 90
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2500075:1581] ET COMPROMISED Known Compromised or Hostile Host Traffic UDP (38) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:30.021197 202.125.47.222:29005 -> xxx.xxx.xxx.xxx:50539
UDP TTL:51 TOS:0x0 ID:0 IpLen:20 DgmLen:146 DF
Len: 118
[Xref => http://doc.emergingthreats.net/bin/view/Ma...ompromisedHosts]

[**] [1:2406195:140] ET RBN Known Russian Business Network IP UDP (98) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:54.342147 212.77.128.138:27075 -> xxx.xxx.xxx.xxx:62540
UDP TTL:111 TOS:0x24 ID:27084 IpLen:20 DgmLen:116
Len: 88
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406195:140] ET RBN Known Russian Business Network IP UDP (98) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:52:54.342220 212.77.128.138:27075 -> 192.168.1.199:13495
UDP TTL:110 TOS:0x24 ID:4575 IpLen:20 DgmLen:116
Len: 88
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406707:140] ET RBN Known Russian Business Network IP UDP (354) [**]
[Classification: Misc Attack] [Priority: 2] 
[**] [1:2406707:140] ET RBN Known Russian Business Network IP UDP (354) [**]
07/11-18:53:24.755909 92.62.98.47:27015 -> 192.168.1.199:13495
[Classification: Misc Attack] [Priority: 2] 
UDP TTL:46 TOS:0x0 ID:26363 IpLen:20 DgmLen:130 DF
07/11-18:53:24.755702 92.62.98.47:27015 -> xxx.xxx.xxx.xxx:50165
Len: 102
UDP TTL:47 TOS:0x0 ID:0 IpLen:20 DgmLen:130 DF
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]
Len: 102

[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406707:140] ET RBN Known Russian Business Network IP UDP (354) [**]
[Classification: Misc Attack] [Priority: 2] 
[**] [1:2406707:140] ET RBN Known Russian Business Network IP UDP (354) [**]
07/11-18:53:24.876024 92.62.98.45:27015 -> 192.168.1.199:13495
[Classification: Misc Attack] [Priority: 2] 
UDP TTL:45 TOS:0x0 ID:34725 IpLen:20 DgmLen:131 DF
07/11-18:53:24.875969 92.62.98.45:27015 -> xxx.xxx.xxx.xxx:52839
Len: 103
UDP TTL:46 TOS:0x0 ID:0 IpLen:20 DgmLen:131 DF
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]
Len: 103

[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
[**] [1:2406701:140] ET RBN Known Russian Business Network IP UDP (351) [**]
[Classification: Misc Attack] [Priority: 2] 
[Classification: Misc Attack] [Priority: 2] 
07/11-18:53:29.090152 92.48.203.104:27045 -> 192.168.1.199:13495
07/11-18:53:29.090023 92.48.203.104:27045 -> xxx.xxx.xxx.xxx:56649
UDP TTL:113 TOS:0x0 ID:29159 IpLen:20 DgmLen:149
UDP TTL:114 TOS:0x0 ID:15024 IpLen:20 DgmLen:149
Len: 121
Len: 121
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]


[**] [122:22:0] (portscan) UDP Filtered Decoy Portscan [**]
[Priority: 3] 
07/11-18:54:11.567580 95.31.2.6 -> xxx.xxx.xxx.xxx
PROTO:255 TTL:0 TOS:0x0 ID:18756 IpLen:20 DgmLen:174

[**] [122:22:0] (portscan) UDP Filtered Decoy Portscan [**]
[Priority: 3] 
07/11-18:55:09.865401 84.38.74.241 -> xxx.xxx.xxx.xxx
PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:172 DF

[**] [1:2406255:140] ET RBN Known Russian Business Network IP UDP (128) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:55:14.606707 217.170.66.68:27015 -> 192.168.1.199:13495
[**] [1:2406255:140] ET RBN Known Russian Business Network IP UDP (128) [**]
UDP TTL:114 TOS:0x0 ID:14633 IpLen:20 DgmLen:131
[Classification: Misc Attack] [Priority: 2] 
Len: 103
07/11-18:55:14.606606 217.170.66.68:27015 -> xxx.xxx.xxx.xxx:53052
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]
UDP TTL:115 TOS:0x0 ID:9518 IpLen:20 DgmLen:131

Len: 103
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406563:140] ET RBN Known Russian Business Network IP UDP (282) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:55:30.581274 80.70.228.80:27016 -> xxx.xxx.xxx.xxx:62116
UDP TTL:48 TOS:0x0 ID:0 IpLen:20 DgmLen:123 DF
Len: 95
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406563:140] ET RBN Known Russian Business Network IP UDP (282) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:55:30.581354 80.70.228.80:27016 -> 192.168.1.199:13495
UDP TTL:47 TOS:0x0 ID:6071 IpLen:20 DgmLen:123 DF
Len: 95
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406533:140] ET RBN Known Russian Business Network IP UDP (267) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:55:40.902023 78.129.142.161:27015 -> xxx.xxx.xxx.xxx:60298
UDP TTL:49 TOS:0x0 ID:0 IpLen:20 DgmLen:162 DF
Len: 134
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406533:140] ET RBN Known Russian Business Network IP UDP (267) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:55:40.902130 78.129.142.161:27015 -> 192.168.1.199:13495
UDP TTL:48 TOS:0x0 ID:34922 IpLen:20 DgmLen:162 DF
Len: 134
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406533:140] ET RBN Known Russian Business Network IP UDP (267) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:55:41.096640 78.129.142.183:27015 -> xxx.xxx.xxx.xxx:51910
UDP TTL:48 TOS:0x0 ID:0 IpLen:20 DgmLen:151 DF
Len: 123
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406533:140] ET RBN Known Russian Business Network IP UDP (267) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:55:41.096699 78.129.142.183:27015 -> 192.168.1.199:13495
UDP TTL:47 TOS:0x0 ID:26735 IpLen:20 DgmLen:151 DF
Len: 123
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406519:140] ET RBN Known Russian Business Network IP UDP (260) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:55:53.554627 77.91.226.50:27015 -> xxx.xxx.xxx.xxx:51522
UDP TTL:49 TOS:0x0 ID:0 IpLen:20 DgmLen:128 DF
Len: 100
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

[**] [1:2406519:140] ET RBN Known Russian Business Network IP UDP (260) [**]
[Classification: Misc Attack] [Priority: 2] 
07/11-18:55:53.554825 77.91.226.50:27015 -> 192.168.1.199:13495
UDP TTL:48 TOS:0x0 ID:10921 IpLen:20 DgmLen:128 DF
Len: 100
[Xref => http://doc.emergingthreats.net/bin/view/Ma...BusinessNetwork]

Link to comment
Share on other sites

Wow that's interesting man. No I haven't had any activity. Some attempts on my FTP server, but they get banned after 3 fails anyway -- they're not even trying the right usernames and my passwords are 10+ long alphanum + spec chars

I see from the log they are running scans and different attacks, but what services are you running?

I'm trusting you have everything patched up to date and good strong passwords.. :)

Now that I remember.. I was getting a series of attacks from China, but that was a while ago.

Link to comment
Share on other sites

Russia and China are the two biggest promlem countries when it comes to spam and website attacks. Its all automated, point and click, then walk away, check later for positive results, then take over whatever they find. You can try blockign the countries subnets, but then you block legit people as well, but I really don;t care if anyone from Russia and China ever reach my site. There was a website that had all the well known subnets for each country, but I can't remember the link. SOmething like countryblocks or cidrcountryblocks, something like that.

edit: Found it

http://www.remotetm.net/country-blocks/htaccess-deny-format/

Link to comment
Share on other sites

@i.have.rewt

The only services I have running are Squid(3128), SSH(1337), HTTPS(443), Domain(53), and FTP(21).

@digip

Thanks for the information. The box shouldn't respond to ping and it won't give them any results for a port scan. So how do they even know anything exists at my IP?

Thanks guys,

Optics

Link to comment
Share on other sites

@i.have.rewt

The only services I have running are Squid(3128), SSH(1337), HTTPS(443), Domain(53), and FTP(21).

@digip

Thanks for the information. The box shouldn't respond to ping and it won't give them any results for a port scan. So how do they even know anything exists at my IP?

Thanks guys,

Optics

Ping isnt the end all be all finder. Opening a telnet to any number of ports tells you more than a ping for keep alive. Hell, even pings can't hide arp. next time you are on a local lan, test this to see what I mean. Set up a machine to block pings. Then from another machine on the same subnet, ping the machine and watch the timeoutes. Now run arp, and guess what, you will see an entry for the IP address as well as the mac address of the machine who won't reply to the ping. If the ip and mac show up in the arp table, then you know the machine is online. If it doesn't show in arp, then the machine is offline or unreachable. This only works on the same subnet but is one thing to keep in mind that ping is only one tool to check an end device if its alive. There are other ways to check for things beyond port scans, like scripted telnet sessions to popular ports, etc...

Link to comment
Share on other sites

@i.have.rewt

The only services I have running are Squid(3128), SSH(1337), HTTPS(443), Domain(53), and FTP(21).

@digip

Thanks for the information. The box shouldn't respond to ping and it won't give them any results for a port scan. So how do they even know anything exists at my IP?

Thanks guys,

Optics

Ping isnt the end all be all finder. Opening a telnet to any number of ports tells you more than a ping for keep alive. Hell, even pings can't hide arp. next time you are on a local lan, test this to see what I mean. Set up a machine to block pings. Then from another machine on the same subnet, ping the machine and watch the timeoutes. Now run arp, and guess what, you will see an entry for the IP address as well as the mac address of the machine who won't reply to the ping. If the ip and mac show up in the arp table, then you know the machine is online. If it doesn't show in arp, then the machine is offline or unreachable. This only works on the same subnet but is one thing to keep in mind that ping is not the only one tool to check an end device if its alive. There are other ways to check for things beyond port scans, like scripted telnet sessions to popular ports, etc...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...