Snorby Snort Report

[jinksy]

Good Evening,

Just wondered if anyone could provide any clarification on the below events please. The majority seems to be coming from our DNS server.

Should I be concerned ?


Top 15 Signatures
Signature Name Percentage Event Count
ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source) 12.82% 221
ET INFO Packed Executable Download 12.01% 207
ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - M... 11.83% 204
ET POLICY Outdated Windows Flash Version IE 9.34% 161
ET POLICY GNU/Linux APT User-Agent Outbound likely related to ... 9.28% 160
ET POLICY PE EXE or DLL Windows file download 8.53% 147
GPL SHELLCODE x86 0x90 NOOP unicode 8.12% 140
ET SHELLCODE Common 0a0a0a0a Heap Spray String 4.93% 85
GPL SHELLCODE x86 stealth NOOP 2.73% 47
ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a 2.49% 43
ET POLICY Vulnerable Java Version 1.7.x Detected 2.38% 41
ET TFTP Outbound TFTP Read Request 2.03% 35
ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second... 1.8% 31
GPL SHELLCODE x86 0xEB0C NOOP 1.8% 31
ET POLICY Suspicious inbound to MSSQL port 1433 1.8% 31
ET POLICY Suspicious inbound to mySQL port 3306 1.62% 28
ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious... 1.62% 28
ET INFO JAVA - ClassID 1.62% 28
ET POLICY Http Client Body contains pass= in cleartext 1.62% 28
ET POLICY Suspicious inbound to Oracle SQL port 1521 1.62% 28

 

[ex_bubblehead]

Typical script kiddie. If your network is hardened against this stuff you shouldn't be worried. You could always block the source IP address/s at your border if your logs are being spammed.

 

[jinksy]

The server is fully patched along with the clients so yes its "hardened" which is why i have the concern. I don't want to add a suppress rule without understanding what's going on.

The IDS show the majority coming from our DNS server (along with a few other roles) and its only been happening recently.

 

[ex_bubblehead]

Users connecting personal equipment to the network?
I'm assuming you've run Wireshark or its equivalent on the server, that should identify the source/s.

 

[jinksy]

Indeed i have, and Microsoft have as well. Neither of us can see what's going on. Tried to capture packets from client and server side to no avail.

 

[ex_bubblehead]

Hmm, 'tis a puzzlement. Have you tried the old divide and conquer to eliminate any clients as the source? That's about all I'm left with.

 

[jinksy]

There where discussion for replacing the DNS server to run on 2008 R2 box, but changing the reservation to the new server. Should be interesting to see the outcome.