Tuesday, July 10, 2012

Analyzing a Snort Alert

Yesterday I was going about doing my things and suddenly noticed that there were three alerts on my IDS with the signature shown below.

I tried looking at the payload it was really huge like shown below.

I tried looking up the IP http://whois.domaintools.com/ however I did not get any information useful to me.

I wanted to clean up the payload shown above to see just the URL, so I used the command as shown grep http tmp.txt | cut -d" " -f1 | grep \' | cut -d\' -f1

Well fair enough except the first one all the others does seem to be malicious, so I set out seeking my Web Proxy logs to see how did I land up on the IP.

One look at the proxy logs I almost felt like a amnesia patient getting back his\her memories :-D, because yesterday I was using urlquery.net for some experiment which I was performing. 

Bottom line: Long story short it really pays to have logging enabled to determine if an incident is a false positive or not :-)

No comments:

Post a Comment