[Snort-users] Weird alerts - false positive ?

Andreas Lindenblatt azrael at ...70...
Mon Nov 6 09:29:23 EST 2000


Hi Simon,

> The alerts in most cases are sourced from my W2K host, and the destination
> is a nameserver on my network, 21 and 53 are nameservers, 6 is the W2K box.

IMHO this means that your x.x.x.53 tries to reach a port at your
W2K-host that it's not allowed not access. Does your host on .53 handle
mail? Most Mailers try to get information from the sender (auth, Port
113), which means your suspicious traffic should occur when you send or
recieve mail.

-- 
----
BYE Andreas
[Solution - The Computer People]
[http://www.solution.de]
[fax:+49-621-7140721]
[Mannheim/Germany]



More information about the Snort-users mailing list