Victim IP: 192.168.1.70
I’m testing it using this command:
nmap –P0 192.168.1.70
What we can see here, when the attacker is trying to attack 192.168.1.70. See the result here:
tail -f /var/log/snort/snort_inline-fast
tail -f /var/log/snort/snort_inline-full
Alert 1:
12/17-03:31:49.442610 [**] [1:1418:11] SNMP request tcp
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49786 -> 192.168.1.70:161
12/17-03:31:49.885321 [**] [1:1418:11] SNMP request tcp
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49787 -> 192.168.1.70:161
SNMP request tcp?? What does it means?
This event is generated when an SNMP-Trap connection over TCP to an SNMP
daemon is made. An attacker sends a packet directed to tcp port 161, if sucessful a
reply is generated and the attacker may then launch further attacks
against the SNMP daemon.
Alert 2
12/17-03:33:22.683878 [**] [1:1421:11] SNMP AgentX/tcp request
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49786 -> 192.168.1.70:705
12/17-03:33:23.152793 [**] [1:1421:11] SNMP AgentX/tcp request
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49787 -> 192.168.1.70:705
SNMP AgentX/tcp reques???
This event is generated when an attempt is made to attack a device using SNMP v1. Varies depending on the implementation. Ranges from Denial of Service (DoS) to code execution. A number of vulnerabilities exist in SNMP v1, including a community string buffer overflow, that will allow an attacker to execute arbitrary code or shutdown the service. An attacker needs to send a specially crafted packet to UDP port 705 of a vulnerable device, causing a Denial of Service or possible execution of arbitrary code.
Alert 3:
12/17-03:33:24.532724 [**] [1:1420:11] SNMP trap tcp
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49786 -> 192.168.1.70:162
12/17-03:33:25.010310 [**] [1:1420:11] SNMP trap tcp
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49787 -> 192.168.1.70:162
The SNMP (Simple Network Management Protocol) Trap daemon usually listens on port 162, tcp or udp. An attacker sends a packet directed to tcp port 162, if successful a reply is generated and the attacker may then launch further attacks against the SNMP daemon.
We can conclude that the attacker is trying to find open ports in 192.168.1.70. The attacked was not successful because firewall/IPS blocked it. This is simple analysis. If you want more details about this, use Google , hehehe...
Posts
4 comments:
yeah but doesn't inline mode work as an IPS, what does Snort against the attacker?
Discount RX Pharmacy - Cialis, Viagra, Levitra, Tamiflu. Order Generic Medication In own Pharmacy. Buy Pills Central.
[url=http://buypillscentral.com/buy-generic-viagra-online.html]Buy Cheap Viagra, Cialis, Levitra, Tamiflu[/url]. prescription generic pills. Discount drugs pharmacy
Can anyone recommend the robust Remote Management software for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central it automation
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!
http://markonzo.edu candlestick centrethe http://profiles.friendster.com/premarin#moreabout
Post a Comment