티스토리 뷰

보안

snort log

초보의 CHOMAN 2015.06.11 17:34

오탐없이 잡아내는것들...



bittorrent

Date: 11/06 09:58:02

Name: ET P2P BitTorrent peer sync

Priority: 1

Type: Potential Corporate Privacy Violation

IP Info: 192.168.9.138:48733 -> xx.xx.109.157:17393

SID: 2000334

Refs: http://doc.emergingthreats.net/bin/view/Main/2000334, http://bitconjurer.org/BitTorrent/protocol.html


utorrnt

Date: 11/06 09:58:02

Name: ET P2P BitTorrent peer sync

Priority: 1

Type: Potential Corporate Privacy Violation

IP Info: 192.168.9.138:48733 -> xx.xx.109.157:17393

SID: 2000334

Refs: http://doc.emergingthreats.net/bin/view/Main/2000334, http://bitconjurer.org/BitTorrent/protocol.html


dropbox

Date: 11/06 10:09:08

Name: ET POLICY Dropbox.com Offsite File Backup in Use

Priority: 1

Type: Potential Corporate Privacy Violation

IP Info: 192.168.9.20:33510 -> xx.xx.162.116:80

SID: 2012647

Refs: http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/, http://www.dropbox.com 


port scan (nmap 으로 포트 스캔시)

ET SCAN Potential SSH Scan OUTBOUND

Attempted Information Leak


암호화 되지 않은 사이트에 로그인시? (HTTP BODY 부분에 "pass=" 라는 문자열이 검출되었다 라는 뜻일것임

ET POLICY Http Client Body contains pass= in cleartext

Potential Corporate Privacy Violation


아래는 실제 패킷 덤프 텍스트


10:03:01.626779 IP 192.168.9.138.8220 > xx.xx.xx.104.80: Flags [P.], seq 0:635, ack 1, win 256, length 635

E....k@...u...  .sD>h ..P..UVt~v.P....T..POST /index_main.php HTTP/1.1

Host: xxx

Connection: keep-alive

Content-Length: 84

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://xx.xx.com

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://xx.xxx.xxx

Accept-Encoding: gzip,deflate

Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4


host=xx.com&mailhost=xx.x.x.x.x&f_user=kenseu&f_pass=평문노출


댓글
댓글쓰기 폼