[Dshield] Where should you start - I'll wrap it myself

Al Reust areust at comcast.net
Thu Apr 8 04:52:58 GMT 2004


Hi Chris et al

You hit the nail on the head.. My post resulted in False Positive to a 
Moron Service. This also goes along with Out of Office (OOF) reply's which 
should never get out side the MTA.... The person that need to know, needs 
to look at the headers to see who they are.. Please do not laugh too loud.

<Quote>
Received: from spamkill.temmc.com 
(dallas-pix.bjke.com[216.207.61.67](untrusted sender))
           by rwcrmxc16.comcast.net (rwcrmxc16) with ESMTP
           id <20040408024140r1600cj0n4e>; Thu, 8 Apr 2004 02:41:40 +0000
X-Originating-IP: [216.207.61.67]
Received: from root by spamkill.temmc.com with local (Exim 4.30)
	id 1BBPQ1-0005xa-Hc
	for areust at comcast.net; Wed, 07 Apr 2004 21:37:29 -0500
To: Al Reust <areust at comcast.net>
Subject: Re: Your last message to me was rejected.
In-Reply-To: <5.1.0.14.2.20040407181239.02c92b10 at mail.comcast.net>
Auto-Submitted: auto-replied
Message-Id: <E1BBPQ1-0005xa-Hc at spamkill.temmc.com>
From: postmaster at temmc.com
Date: Wed, 07 Apr 2004 21:37:29 -0500


  Your mail with Subject: [Dshield] For those that want to see what a Snort 
Sensor can see



   would appear to be unsolicited mail.

  Your message was sent to: General DShield Discussion List 
<list at lists.dshield.org>
  If you intended to contact that person for legitmate reasons then our 
apologies.

  Please would you resend to the same address
  but add real- to the e-mail address, and it will bypass the filters.
  For example, bobm at example.com would become real-bobm at example.com. Thank you.

  Postmaster

  Here is the messageID for postmaster reference: 1BBPPz-0005xN-Py:

------ This is a copy of the message, including all the headers. ------

Received: from root by spamkill.temmc.com with spam-scanned (Exim 4.30)
	id 1BBPPz-0005xN-Py
	for jlinscot at temmc.com; Wed, 07 Apr 2004 21:37:29 -0500
Received: from localhost by localhost.localdomain
	with SpamAssassin (2.63-myrules1 2004-01-11);
	Wed, 07 Apr 2004 21:41:11 -0500
From: Al Reust <areust at comcast.net>
To: General DShield Discussion List <list at lists.dshield.org>
Subject: [Dshield] For those that want to see what a Snort Sensor can see
Date: Wed, 07 Apr 2004 19:23:32 -0700
Message-Id: <5.1.0.14.2.20040407181239.02c92b10 at mail.comcast.net>
X-Spam-Test-Scores: DONT_DELETE=0.827,NORMAL_HTTP_TO_IP=0.211,
	RCVD_IN_SORBS=1.8,RCVD_IN_SORBS_SPAM=2.7
X-Spam-Pyzor:
X-Spam-Level: *****
X-Spam-DCC: :
X-Spam-Status: Yes, hits=5.5 required=5.0 tests=DONT_DELETE,NORMAL_HTTP_TO_IP,
	RCVD_IN_SORBS,RCVD_IN_SORBS_SPAM autolearn=no version=2.63-myrules1
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.63-myrules1 (2004-01-11) on
	localhost.localdomain
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_4074BBC7.AF88496D"

This is a multi-part message in MIME format.

------------=_4074BBC7.AF88496D
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "localhost.localdomain", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or block
similar future email.  If you have any questions, see
postmaster at temmc.com for details.

Content preview:  Hello All I have been working on upgrading my IDS's to
   Snort 2.1.1 and previously posted that I have mix that works.
   PHP/MYSQL/Acid console. This covers 5 active sensors in DMZ's and
   various test sensors to see what happens when you have to upgrade the
   Snort or the support files. Any way you look at it, it is an added pain
   in the butt.. [...]

Content analysis details:   (5.5 points, 5.0 required)

  pts rule name              description
---- ---------------------- --------------------------------------------------
  0.8 DONT_DELETE            BODY: Don't delete me!  Nooooo!!!!
  0.2 NORMAL_HTTP_TO_IP      URI: Uses a dotted-decimal IP address in URL
  2.7 RCVD_IN_SORBS_SPAM     RBL: SORBS: spam source or spam-supporting ISP
                             [204.127.202.55 listed in dnsbl.sorbs.net]
  1.8 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
                             [67.161.81.163 listed in dnsbl.sorbs.net]
                             [204.127.202.55 listed in dnsbl.sorbs.net]



------------=_4074BBC7.AF88496D
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Received: from chihub2.truenorth.com ([170.200.92.68])
	by spamkill.temmc.com with esmtp (Exim 4.30)
	id 1BBPPz-0005xK-Il
	for jlinscot at temmc.com; Wed, 07 Apr 2004 21:37:27 -0500
Received: from chiscan1.interpublic.com ([170.200.92.68]) by
           chihub2.truenorth.com (Netscape Messaging Server 4.15) with
           ESMTP id HVTZHD02.47J for <jlinscot at temmc.com>; Wed, 7 Apr 2004
           21:41:37 -0500
Received: from chiscan1.interpublic.com (localhost.localdomain [127.0.0.1])
	by chiscan1proxy.interpublic.com (Postfix) with ESMTP id 5763E73C79
	for <jlinscot at temmc.com>; Wed,  7 Apr 2004 21:41:37 -0500 (CDT)
Received: from mail.giac.net (mail1.giac.net [65.173.218.103])
	by chiscan1.interpublic.com (Postfix) with SMTP id 35F6573C74
	for <jlinscot at temmc.com>; Wed,  7 Apr 2004 21:41:37 -0500 (CDT)
Received: (qmail 10146 invoked from network); 8 Apr 2004 02:38:43 -0000
Received: from  (HELO dshield.com) (@)
   by 0 with SMTP; 8 Apr 2004 02:38:43 -0000
Received: from maverick12.sans.org (localhost.localdomain [127.0.0.1])
	by dshield.com (8.11.6/8.11.6) with ESMTP id i382cfi11735;
	Thu, 8 Apr 2004 02:38:41 GMT
Received: from mail.giac.net (iceman1 [65.173.218.103])
	by dshield.com (8.11.6/8.11.6) with SMTP id i382Ggi11113
	for <list at lists.dshield.org>; Thu, 8 Apr 2004 02:16:42 GMT
Received: (qmail 32388 invoked from network); 8 Apr 2004 02:16:42 -0000
Received: from sccrmhc11.comcast.net (204.127.202.55)
	by 0 with SMTP; 8 Apr 2004 02:16:42 -0000
Received: from deltaflyer.comcast.net
	(c-67-161-81-163.client.comcast.net[67.161.81.163])
	by comcast.net (sccrmhc11) with SMTP id <2004040802164101100rthbke>
	(Authid: areust); Thu, 8 Apr 2004 02:16:42 +0000
Message-Id: <5.1.0.14.2.20040407181239.02c92b10 at mail.comcast.net>
X-Sender: areust at mail.comcast.net
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Wed, 07 Apr 2004 19:23:32 -0700
To: General DShield Discussion List <list at lists.dshield.org>
From: Al Reust <areust at comcast.net>
In-Reply-To: <5.1.0.14.2.20040407151236.02c83a40 at mail.comcast.net>
References: <5.1.0.14.2.20040405190358.01f912d0 at mail.comcast.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Mailman-Approved-At: Thu, 08 Apr 2004 02:35:23 +0000
Subject: [Dshield] For those that want to see what a Snort Sensor can see
X-BeenThere: list at lists.dshield.org
X-Mailman-Version: 2.1.4
Precedence: list
Reply-To: General DShield Discussion List <list at lists.dshield.org>
List-Id: General DShield Discussion List <list.lists.dshield.org>
List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
	<mailto:list-request at lists.dshield.org?subject=unsubscribe>
List-Archive: <http://www.dshield.org/pipermail/list>
List-Post: <mailto:list at lists.dshield.org>
List-Help: <mailto:list-request at lists.dshield.org?subject=help>
List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
	<mailto:list-request at lists.dshield.org?subject=subscribe>
Sender: list-bounces at lists.dshield.org
Errors-To: list-bounces at lists.dshield.org
X-Removed-Priv-SA-Headers:True
X-Spam-Flag-tm: TM-Spam-Flag

Hello All

I have been working on upgrading my IDS's to Snort 2.1.1 and previously
posted that I have mix that works. PHP/MYSQL/Acid console. This covers 5
active sensors in DMZ's and various test sensors to see what happens when
you have to upgrade the Snort or the support files. Any way you look at it,
it is an added pain in the butt..

This is on a Win Box (2K Pro) using DHCP on a "public" network (comcast). I
have not modified the basic rule sets from 3/24/2004, so you will see what
comes out of the box. Yes it reports differently than previously seen. New
definitions of false positives. Just call it progress...

Yes, IIS is fairly locked down and the box is patched.. I do not expect it
to be toppled.. I did want people to get a chance to look and see what can
be seen. I do not expect an attack to see if you can topple it.. I expect
to see what happens when a box is put in a "public" network. That is why I
opened the invitation to go look. Until you see you never know.

Typically, I would have the box doing "things" that could stress the CPU,
so if a hundred people hit it that I would expect that would be sluggish.
This does not mention what "they" feel as "user" network should do
"outbound."  If you take time to go look, please Do Not delete any alerts..
I do want to see what is happening.

It is a PIII 550 with 384meg of RAM. The Ram utilization are at about 75%

I will take it down Monday 12 April 2004 in the morning.

If you want to look the URL is

http://67.160.116.3/acid/acid_main.php

Username: visitor
Password: L00k at meplz ; Lzerozerok at meplz

This has been running here for about three+ hours 4:00pm PDT

Otherwise, Have Fun

If you have detailed questions please send off list. Yes the build document
is being revised, it is a "living" thing with all the updates...

One of the IPs that you will see is 67.161.81.163 that hosts my Dynamic
DNS, yes it gets attacked as it has IIS and FTP. See previous emails, on
home networking. Yes I have 11 machines behind the firewall..No I do not
have an MTA running..  Linksys support "sucks" so I bought a NetGear that
works.

R/

Al

_______________________________________________
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list


------------=_4074BBC7.AF88496D--
<End Quote>




More information about the list mailing list