[Snort-users] Scanning for trojans..sure ya are!

Dr SuSE drsuse at ...748...
Mon Nov 20 11:17:07 EST 2000


Well, I was just sitting here minding my own business and trying to
cybersex0r the large ladies of irc when I decided to check my Snort
reports.  
Well, look at that, someone was attempting to relay mail...hmm, I wonder
what this IP resolves to.  UH OH....securityscan.sec.rr.com   Damn, now
they know I'm running a web and mail server which I don't think I'm
suppose to be doing.
Since securityscan.sec.rr.com is no my enemy I need to research it and
find all I can.  A dogpile search directs me to
www.midsouth.rr.com/local/security/secscan.html
The page informs me that this is a script that is helpful in that it scans
the rr.com network for hosts that are infected with viruses and trojan
horses and running server (nntp, ftp..etc) on my computer.  Hmm, I wonder
why it didnt set of any other Snort alerts for any of the trojan probes.
Sounds like B.S. on the part of rr.com and I think it's time to dump this
linksys router and setup that firewall I've been meaning to built so that
I can block all rr.com traffic.

I just thought this was funny since I know for a fact that Snort using
vison.conf detects trojan probes because in the last few days I've gotten
a bunch of SubSeven probes and none of them were from
securityscan.sec.rr.com

Dr SuSE

"Microsoft ist nicht installiert"




More information about the Snort-users mailing list