Printable View
Jinxy:
Trust me.... The IDS sigs/info, (note that the end of every line in the jpg ends in IDSXX where XX is an incrementing number), from whitehats contain the Snort sig _and_ the packet dump to demonstrate.... The sig or the packet dump will almost always kick off an IDS alert in IDS's, (kerio?), that don't apply specific rules to the depth and offsets in the packets received.....
That is exactly what is happening here and why I suspect it is kerio that is d/ling the information....
Tiger > That crossed my mind, and is probably what happened. The thing that threw me off is that there are a bunch of real attempts in between those downloaded definitions (the part I took a screen shot of is the only one that doesn't have others in between) - there's an "unsuccessful miscellaneous PCAnyWhere login", for example - and a bunch of NetBios-attempts. Those too have a reference URL at whitehats.com, making it look like Kerio's IDS is saying "Hey, someone tried something - here's the URL if you want more info" - and that's what it looked like to me for those "downloaded definitions". They could at least put that info somewhere else - it's in the "High priority intrusions" log :s
Neg:
They would be in the "High Priority" if the "intrusion" attempt were not specifically delineated.... This is why Snort is the best out there as an IDS...
For example.... let's say that the word "Neg" is considered part of an attack sequence,,,,
An _improperly_ designed IDS will alert on the word "Neg" in any packet, anywhere in the packet....
But, in reality, the word "Neg" in the attack sequence _only_ occurs between the 65th and 85th bytes in the packet.... Then a Snort rule will delineate that.... The other rules that look only for content as opposed to it's proper position within a packet will alert where Snort would pass it....
This is what you are experiencing.... No offense, an inferior"IDS", (Kerio is a firewall that like to tell you how well it is doing...), is warning you about things it shouldn't....
Now, do as I asked please.... Go kiss Mel.... twice now.... and quit worrying.... You did everything right.... except not kissing her first time around and forgetting about it.... ;)
Now, I don't pay very many visits to whitehats.com, but have you tried any firewall/intrusion tests from that site? Do they even offer such services? I'm pretty sure you would have known that, but I thought I might as well ask... I'll have to check my firewall logs once I get to my computer... As of now, I'm watching Jason X on Sci Fi :D :D
First of all, you're using KPF 2 if I'm not mistaken. Dump it and get KPF 4. It's less whiny and has a better IDS.
Cheers,
cgkanchi
I'm using 4.1 ;)
I guess no-one can see my posts....
That being the case..... Can I kiss Mel..... While you reformat and reinstall.... :D
No. Heh.
Tiger, I asked you a question in an AP assignment... :)
Duck: Your right.... My addled brain forgot about it... I apologize....
I don't know about a particular site.... I learned about how Snort actually works by buying the book Snort 2.1, though there is a Snort 2.2 books and be aware that Snort 2.3 was recently released... It's a great book that gets into the engine itself and the way rules are written and interpreted by Snort itself.... Quite fascinating.....