[Snort-sigs] Snort logs

Bryan Irvine bryan.irvine at ...1441...
Tue Apr 22 16:34:08 EDT 2003


Is there a way to get more info from the snort logs?

I got this:
###Begin paste###
[**] Virus - Possible NAIL Worm [**]
04/15-16:31:08.887271 207.109.73.101:110 -> 64.1.201.130:8136
TCP TTL:45 TOS:0x0 ID:38869 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7B1C0E7A  Ack: 0x2045F0E7  Win: 0x16D0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
###End paste###

It shows someone on one of our networks, downloading a potential virus from 
our mail server.

But, since this firewall is running NAT, I don't know who.  
Will snort run on more than one interface so I could track and see where it went 
(for next time, I'm sure that info is lost this time)?

--Bryan





More information about the Snort-sigs mailing list