[Snort-sigs] Snort logs
bryan.irvine at ...1441...
Tue Apr 22 16:34:08 EDT 2003
Is there a way to get more info from the snort logs?
I got this:
[**] Virus - Possible NAIL Worm [**]
04/15-16:31:08.887271 22.214.171.124:110 -> 126.96.36.199:8136
TCP TTL:45 TOS:0x0 ID:38869 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x7B1C0E7A Ack: 0x2045F0E7 Win: 0x16D0 TcpLen: 20
It shows someone on one of our networks, downloading a potential virus from
our mail server.
But, since this firewall is running NAT, I don't know who.
Will snort run on more than one interface so I could track and see where it went
(for next time, I'm sure that info is lost this time)?
More information about the Snort-sigs