Snort mailing list archives
Re: snoop output contradicts with snort database
From: Phil Wood <cpw () lanl gov>
Date: Sat, 9 Feb 2002 16:04:46 -0700
On Sat, Feb 09, 2002 at 02:14:43PM -0800, Gongya Yu wrote:
Hi, all: I have a win2k box compromised. After I boot up that box, I use snoop to find that it sends lots of packets to remote machines on port 80 from random local ports. I set up a snort box to plugin to oracle database. When I query tcphdr table, I found tcp_sport contains port 80, while tcp_dport contains random ports.
Did you get some packets back from the servers your system was trying to hack? And what are your $EXTERNAL_NET and $HTTP_SERVERS variables set to as well as your $HOME_NET? "any" by chance? What rule triggered the the entries in your oracle database. I assume you are using ACID to output the sql? Have you had a drink yet?
any suggestions. Gongya Yu =================================
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- OT Humor: Snort-Users Drinking Game Erek Adams (Feb 07)
- Re: OT Humor: Snort-Users Drinking Game Davitt J. Potter (Feb 07)
- Re: OT Humor: Snort-Users Drinking Game Bradley Alexander (Feb 08)
- Re: OT Humor: Snort-Users Drinking Game John Sage (Feb 09)
- Re: OT Humor: Snort-Users Drinking Game Andreas Östling (Feb 09)
- snoop output contradicts with snort database Gongya Yu (Feb 09)
- Re: snoop output contradicts with snort database Phil Wood (Feb 09)
- Re: snoop output contradicts with snort database John Sage (Feb 09)
- RE: snoop output contradicts with snort database Jeff Jennings (Feb 09)
- Re: OT Humor: Snort-Users Drinking Game John Sage (Feb 09)