I just brought up my snort\acid\mysql box.
I have a situation where I am seeing hundreds of alerts with the same
source IP and the same destination IP; it seems to be getting hit by 3
alert signatures, these alerts are climbing the ports on the source but
all point back to the destination on port 80.
The alerts are
(http_inspect) APACHE WHITESPACE (TAB)
(http_inspect) BARE BYTE UNICODE ENCODING
(http_inspect) NON-RFC HTTP DELIMITER
Since I'm seeing the ports increment numerically (most of the time,
sometimes there are gaps of 2-10 ports) I'm under the impression I'm
getting port scanned on the source box (internal IP on corp network) by
the destination (public IP).
Would anyone (please) point me in the next direction on investigating
what is going on and what to do. My team and I can "big hammer" the
situation by formatting the destination and securing the firewall
implicitly on the source IP, but what I'm hoping to find out is what
would those of you with years of working these incidents do?
Here is the ARIN whois on the source IP
**SNIP**
Server Used: [ whois.arin.net ]
66.182.90.242
<http://www.samspade.org/t/whois?a=66.182.90.242;server=auto> = [
cust-66-182-90-242.bbsc.net
<http://www.samspade.org/t/whois?a=cust-66-182-90-242.bbsc.net;server=au
to> ]
OrgName: BroadBand Solutions America
OrgID: BSA-26
Address: 630 West 9560 South Suite A
City: Sandy
StateProv: UT
PostalCode: 84070
Country: US
NetRange: 66.182.64.0
<http://www.samspade.org/t/whois?a=66.182.64.0;server=auto> -
66.182.95.255
<http://www.samspade.org/t/whois?a=66.182.95.255;server=auto>
CIDR: 66.182.64.0/19
NetName: BBSC-NET
NetHandle: NET-66-182-64-0-1
<http://www.samspade.org/t/whois?a=NET-66-182-64-0-1;server=whois.arin.n
et>
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BBSC.NET
<http://www.samspade.org/t/whois?a=NS1.BBSC.NET;server=auto>
NameServer: NS4.BBSC.NET
<http://www.samspade.org/t/whois?a=NS4.BBSC.NET;server=auto>
**SNIP**
Thanks in advance to any and all suggestions (tell me which ones to read
and I'll RTFM!!!)
Mike
