Results 1 to 8 of 8

Thread: This little piggy caught some hackers

  1. #1
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747

    This little piggy caught some hackers

    I just got my snort up and running and was looking through my logs when I saw this packet.



    08/21-12:25:22.876338 0:6:25:E4:80:1 -> 0:4:5A:65:94:65 type:0x800 len:0x59A
    199.107.65.177:80 -> 192.168.1.101:33572 TCP TTL:52 TOS:0x0 ID:59875 IpLen:20 DgmLen:1420 DF
    ***A**** Seq: 0x46A26A93 Ack: 0xD95C2753 Win: 0x1920 TcpLen: 32
    TCP Options (3) => NOP NOP TS: 1731940010 1769673
    22 2F 6C 6F 67 6F 73 2F 73 6E 6F 72 74 5F 74 6D "/logos/snort_tm
    2E 67 69 66 22 20 62 6F 72 64 65 72 3D 30 20 61 .gif" border=0 a
    6C 74 3D 22 54 68 69 73 20 6C 69 74 74 6C 65 20 lt="This little
    70 69 67 67 79 20 63 61 75 67 68 74 20 73 6F 6D piggy caught som
    65 20 68 61 63 6B 65 72 73 22 3E 3C 2F 74 64 3E e hackers"></td>
    0A 0A 20 20 20 3C 74 64 3E 0A 20 20 20 3C 74 61 .. <td>. <ta
    62 6C 65 20 62 6F 72 64 65 72 3D 30 20 63 65 6C ble border=0 cel
    6C 70 61 64 64 69 6E 67 3D 31 20 63 65 6C 6C 73 lpadding=1 cells
    70 61 63 69 6E 67 3D 30 20 77 69 64 74 68 3D 22 pacing=0 width="
    31 30 30 25 22 3E 0A 20 20 20 3C 74 72 3E 20 0A 100%">. <tr> .
    20 20 20 3C 74 64 20 63 6C 61 73 73 3D 22 74 61 <td class="ta
    62 6C 65 4F 75 74 6C 69 6E 65 31 22 3E 0A 20 20 bleOutline1">.
    20 20 20 20 3C 74 61 62 6C 65 20 62 6F 72 64 65 <table borde
    72 3D 30 20 63 65 6C 6C 73 70 61 63 69 6E 67 3D r=0 cellspacing=
    30 20 63 65 6C 6C 70 61 64 64 69 6E 67 3D 34 20 0 cellpadding=4
    77 69 64 74 68 3D 22 31 30 30 25 22 3E 0A 20 20 width="100%">.
    20 20 20 20 3C 74 72 20 76 61 6C 69 67 6E 3D 6D <tr valign=m
    69 64 64 6C 65 20 63 6C 61 73 73 3D 22 74 69 74 iddle class="tit
    6C 65 42 61 72 54 6F 70 22 3E 0A 20 20 20 20 20 leBarTop">.
    20 20 20 20 3C 74 64 3E 20 0A 09 20 20 20 20 3C <td> .. <
    73 70 61 6E 20 63 6C 61 73 73 3D 74 69 74 6C 65 span class=title
    3E 53 6E 6F 72 74 20 26 23 38 34 38 32 3B 3C 2F >Snort ™</
    73 70 61 6E 3E 0A 20 20 20 20 20 20 20 20 20 3C span>. <
    2F 74 64 3E 0A 20 20 20 20 20 20 20 20 20 3C 74 /td>. <t
    64 20 61 6C 69 67 6E 3D 72 69 67 68 74 3E 0A 09 d align=right>..
    20 20 20 20 3C 74 61 62 6C 65 20 62 6F 72 64 65 <table borde
    72 3D 30 20 63 65 6C 6C 73 70 61 63 69 6E 67 3D r=0 cellspacing=
    31 20 63 65 6C 6C 70 61 64 64 69 6E 67 3D 33 3E 1 cellpadding=3>
    0A 20 20 20 20 20 20 20 20 20 20 20 20 3C 74 72 . <tr
    20 63 6C 61 73 73 3D 22 74 61 62 6C 65 42 6F 64 class="tableBod
    79 31 22 3E 0A 20 20 20 20 20 20 20 20 20 20 20 y1">.
    20 20 20 20 3C 74 64 20 61 6C 69 67 6E 3D 63 65 <td align=ce
    6E 74 65 72 3E 20 3C 61 20 68 72 65 66 3D 22 2F nter> <a href="/
    73 6F 75 72 63 65 2E 68 74 6D 6C 22 3E 47 6F 74 source.html">Got
    20 53 6F 75 72 63 65 3F 3C 2F 61 3E 20 3C 2F 74 Source?</a> </t
    64 3E 0A 20 20 20 20 20 20 20 20 20 20 20 20 20 d>.
    20 20 3C 74 64 20 61 6C 69 67 6E 3D 63 65 6E 74 <td align=cent
    65 72 3E 20 3C 61 20 68 72 65 66 3D 22 2F 74 65 er> <a href="/te
    61 6D 2E 68 74 6D 6C 22 3E 4F 75 72 20 54 65 61 am.html">Our Tea
    6D 3C 2F 61 3E 20 3C 2F 74 64 3E 0A 09 20 20 20 m</a> </td>..
    20 20 20 20 3C 74 64 20 61 6C 69 67 6E 3D 63 65 <td align=ce
    6E 74 65 72 3E 20 3C 61 20 68 72 65 66 3D 22 2F nter> <a href="/
    61 62 6F 75 74 2E 68 74 6D 6C 22 3E 41 62 6F 75 about.html">Abou
    74 20 53 6E 6F 72 74 3C 2F 61 3E 20 3C 2F 74 64 t Snort</a> </td
    3E 0A 09 20 20 20 20 20 20 20 3C 74 64 20 61 6C >.. <td al
    69 67 6E 3D 63 65 6E 74 65 72 3E 20 3C 61 20 68 ign=center> <a h
    72 65 66 3D 22 2F 6C 69 63 65 6E 73 65 2E 68 74 ref="/license.ht
    6D 6C 22 3E 4C 69 63 65 6E 73 65 3C 2F 61 3E 20 ml">License</a>
    3C 2F 74 64 3E 0A 20 20 20 20 20 20 20 20 20 20 </td>.
    20 20 3C 2F 74 72 3E 0A 20 20 20 20 20 20 20 20 </tr>.
    20 20 20 20 3C 2F 74 61 62 6C 65 3E 0A 20 20 20 </table>.
    20 20 20 20 20 20 3C 2F 74 64 3E 0A 20 20 20 20 </td>.
    20 20 3C 2F 74 72 3E 0A 20 20 20 20 20 20 3C 2F </tr>. </
    74 61 62 6C 65 3E 0A 0A 0A 20 20 20 20 20 20 3C table>... <
    74 61 62 6C 65 20 77 69 64 74 68 3D 22 31 30 30 table width="100
    25 22 20 63 65 6C 6C 70 61 64 64 69 6E 67 3D 32 %" cellpadding=2
    20 63 65 6C 6C 73 70 61 63 69 6E 67 3D 30 20 62 cellspacing=0 b
    6F 72 64 65 72 3D 30 3E 0A 20 20 20 20 20 20 3C order=0>. <
    74 72 20 63 6C 61 73 73 3D 74 61 62 6C 65 42 6F tr class=tableBo
    64 79 31 20 76 61 6C 69 67 6E 3D 6D 69 64 64 6C dy1 valign=middl
    65 3E 0A 20 20 20 20 20 20 20 20 20 3C 74 64 20 e>. <td
    77 69 64 74 68 3D 22 35 30 25 22 20 6E 6F 77 72 width="50%" nowr
    61 70 3E 0A 09 20 20 20 20 3C 73 70 61 6E 20 63 ap>.. <span c
    6C 61 73 73 3D 68 65 61 64 69 6E 67 3E 54 68 65 lass=heading>The
    20 4F 70 65 6E 20 53 6F 75 72 63 65 20 4E 65 74 Open Source Net
    77 6F 72 6B 20 49 6E 74 72 75 73 69 6F 6E 20 44 work Intrusion D
    65 74 65 63 74 69 6F 6E 20 53 79 73 74 65 6D 3C etection System<
    2F 73 70 61 6E 3E 0A 20 20 20 20 20 20 20 20 20 /span>.
    3C 2F 74 64 3E 0A 09 20 3C 74 64 20 77 69 64 74 </td>.. <td widt
    68 3D 22 35 30 25 22 20 61 6C 69 67 6E 3D 72 69 h="50%" align=ri
    67 68 74 3E 0A 09 20 20 20 20 3C 62 3E 68 6F 73 ght>.. hos
    74 65 64 20 62 79 20 3C 61 20 68 72 65 66 3D 22 ted by <a href="
    2F 65 78 74 65 72 6E 61 6C 2F 3F 75 72 6C 3D 68 /external/?url=h
    74 74 70 3A 2F 2F 77 77 77 2E 73 6F 75 72 63 65 ttp://www.source
    66 69 72 65 2E 63 6F 6D 22 3E 53 6F 75 72 63 65 fire.com">Source
    66 69 72 65 3C 2F 61 3E 3C 2F 62 3E 0A 20 20 20 fire</a>
    .
    20 20 20 20 20 20 3C 2F 74 64 3E 0A 20 20 20 20 </td>.
    20 20 3C 2F 74 72 3E 0A 20 20 20 20 20 20 3C 2F </tr>. </
    74 61 62 6C 65 3E 0A 20 20 20 3C 2F 74 64 3E 0A table>. </td>.
    0A 20 20 20 3C 2F 74 72 3E 3C 2F 74 61 62 6C 65 . </tr></table
    3E 0A 20 20 20 3C 2F 74 64 3E 0A 3C 2F 74 72 3E >. </td>.</tr>
    0A 3C 2F 74 61 62 6C 65 3E 0A 0A 0A 3C 70 3E 0A .</table>...

    .
    0A 3C 74 61 62 6C 65 20 77 69 64 74 68 3D 22 31 .<table width="1
    30 30 25 22 20 63 65 6C 6C 70 61 64 64 69 6E 67 00%" cellpadding
    3D 33 20 63 65 6C 6C 73 70 61 63 69 6E 67 3D 30 =3 cellspacing=0
    20 62 6F 72 64 65 72 3D border=

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    If you look close to the top you see the words "this little piggy caught some hackers"

    What does this mean? Did it actually catch someone or am I just so new to this that its nothing to worry about.
    =

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I don't know if you've already done this... but it might help you to install and use some sort of log analyzer.

    http://www.snort.org/dl/contrib/data_analysis/

    Sorry I couldn't have been more help than that... but I've never really played with snort.

  3. #3
    Yeah, an analyzer breaks it down for you very nicely. I would personally reccomend ACID (Analysis Console for Intrusion Detection) its a tad bit on the slow side if you have a lot of requests to process, but it works GREAT.

    Hope the helps somewhat

    Jonesy

    edit, link

  4. #4
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    Sounds like something I need.

    Thanks for the links.
    =

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    if you go over to http://www.astalavista.com/library/ids/win2ksnort.shtml

    this link shows you how to use ACID to analyse snorts info and then it uses some PHP and MySql to put incidents in a database, looks very nice from what ive seen i need to get it set up on my network

    Its a pretty comprehensive tutorial

    teehehehe i thought that html on the side made something that looked familiar, did you go to the snort website at this time??

    if you go to http://www.snort.org/ and then put the cursor above the picture of the pig, youll get the message "this little pigey caught a hacker", that thing in the logs is just logs of snorts webpage

    if you get rid of the hex on that log and then join up the tags and words together, get rid of the full stops then its almost an exact replica of snorts page, the only difference is the logs finishs before the website can be properly formated

    i2c

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Ummm...just looking at this...it looks to me like you found Snort's web site

    08/21-12:25:22.876338 0:6:25:E4:80:1 -> 0:4:5A:65:94:65 type:0x800 len:0x59A
    199.107.65.177:80 -> 192.168.1.101:33572 TCP TTL:52 TOS:0x0 ID:59875 IpLen:20 DgmLen:1420 DF
    Name: www.snort.org
    Address: 199.107.65.177
    Aliases: 177.65.107.199.in-addr.arpa

    It looks to me like you requested www.snort.org and the packet you pasted is merely part of the reply from the server that was returning the web page. I don't see anything unusual here...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I'll second Nebulus200s opinion. It looks like you requested a page at the snort website and you just captured it's response.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    /me goes and runs in a hole and never comes out.

    oops.

    Well I never used snort before, and I haven't really learned how to accurately read packets, but I think I'm gonna start finding tuts on how to read packets.
    Thanks for the help guys.
    =

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •