Snort mailing list archives
RE: Tagged packets in logs
From: "Grejda, Eric" <EGrejda () county allegheny pa us>
Date: Tue, 23 Dec 2003 08:45:31 -0500
I've been seeing those on our networks as well, only there hasn't been any payload in those packets. They were appearing on a Snort v2.0.5 setup using the latest STABLE rule set which was logging to a MySQL database. We haven't been able to pin down what's causing them, either, and would love to know what's going on. My working theory has been that it's been a system duplication application of some sort (we use a few of them around here) pinging the server that stores its disk images but there's no hard data backing that theory up. -- Eric Grejda
-----Original Message----- From: Russell Fulton [mailto:r.fulton () auckland ac nz] Sent: Tuesday, December 23, 2003 5:22 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Tagged packets in logs I am getting a trickle of "tagged" packets turning up in ACID. All these packets have 80 as source port and most have no data, just push+ack set. A few have data and these alway start with a USER <username><CRLF>PASS <password> .
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tagged packets in logs Russell Fulton (Dec 23)
- <Possible follow-ups>
- RE: Tagged packets in logs Grejda, Eric (Dec 23)