Snort mailing list archives
RE: Unusual System Events
From: Joshua Wright <Joshua.Wright () jwu edu>
Date: Thu, 18 Oct 2001 08:30:30 -0400
I am guessing that Eduard did not obfuscate his logs, and that 192.168.200.253 and 192.168.200.55 are on the same /24 block. Let's not scare him too much, eh? :) Eduard - make sure you A. have read the excellent Snort FAQ, B. have configured your snort.conf to indicate all of your internal networks properly (e.g. var HOME_NET [192.168.0.0/16] and var EXTERNAL_NET !$HOME_NET), C. restart snort. -Joshua Wright Team Leader, Networks and Systems Johnson & Wales University Joshua.Wright () jwu edu pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73 fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 -----Original Message----- From: Brian [mailto:bmc () snort org] Sent: Thursday, October 18, 2001 7:58 AM To: Eduard Meiler Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Unusual System Events According to Eduard Meiler:
Hallo, how can I disable these logs from my LAN ?
the real question is, why do you want to?
Oct 18 12:00:18 wall snort: [1:583:1] RPC portmap request rstatd [Classification: Attempted Information Leak] [Priority: 3]: {UDP} 192.168.200.55:1076 -> 192.168.200.250:111 Oct 18 12:14:50 wall snort: [1:1227:1] X11 outgoing [Classification:
Unknown
Traffic] [Priority: 1]: {TCP} 192.168.200.253:6000 -> 192.168.200.55:1116
To an outsider from your network, it looks as if you got hacked via statd, and they lanched an xterm back at themselves. If not, you could just set your HOME_NET & EXTERNAL_NET properly. -- Save the whales. Collect the whole set. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unusual System Events Eduard Meiler (Oct 18)
- Re: Unusual System Events Brian (Oct 18)
- <Possible follow-ups>
- RE: Unusual System Events Joshua Wright (Oct 18)