Snort mailing list archives

Re: (no subject)

From: Xavi Altafulla <xavifulla () yahoo com>
Date: Mon, 18 Nov 2002 03:20:38 -0800 (PST)

Maybe it's just a false positive. You could have an
application server on 10.51.10.13 and the workstation
from 10.104 is only grabbing one of the dll's that it
needs.

In order to check if one of your windoze programs is
using a certain dll, you could use FileMon, for
example.

hope it helps,

--- "Philippe Dhont   (Sea-ro)"
<Philippe.Dhont () searo be> wrote:

Hi, my snort is working fine since this weekend, i
use it on an internal
server.
One of the messages i got was this one:

url[snort] NETBIOS nimda RICHED20.DLL       
2002-11-18 10:30:52
10.51.10.104:1055        10.51.10.13:139        TCP 


Now, i got this message from 2 computers, this is
very strange because they
don't have the nimda virus.
I checked them, they have a good anti virus and it
is up to date.
I scanned the 2 computers completely again (full
manual scan) and no virus
was found.
Why do i get the message ?

Regards,


Philippe Dhont

-------------------------------------------------------

This sf.net email is sponsored by: To learn the
basics of securing 
your web site with SSL, click here to get a FREE
TRIAL of a Thawte 
Server Certificate:
http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject), (continued)
- (no subject) Adrienne Kotze (Oct 10)
- (no subject) Nathan Whitehouse (Oct 14)
  - Re: (no subject) hackerwacker (Oct 14)
  - Re: (no subject) Erek Adams (Oct 14)
- RE: (no subject) Bob Dehnhardt (Oct 14)
- (no subject) Nanabhay Mohamed * Group (GP) (Oct 16)
- (no subject) Kreimendahl, Chad J (Oct 22)
- (no subject) Ha Tu (Oct 27)
  - Re: (no subject) Erek Adams (Oct 27)
- (no subject) Philippe Dhont (Sea-ro) (Nov 18)
  - Re: (no subject) Xavi Altafulla (Nov 18)
- (no subject) counterping (Dec 10)
  - Re: (no subject) Erick Mechler (Dec 10)
    - Error using the -T option Mike Koponick (Dec 10)
    - Re: Error using the -T option Erick Mechler (Dec 10)
    - RE: Error using the -T option Mike Koponick (Dec 10)
- (no subject) Jim Terry (Dec 12)
  - Re: (no subject) James-lists (Dec 12)
- Re: (no subject) Jim Terry (Dec 14)
- (no subject) netexpress (Dec 17)