[Snort-users] tfn2k snort alert at whitehats.com

Erick Arturo Perez Huemer eperez at ...637...
Mon Oct 16 14:36:33 EDT 2000


Every time snort-update checks whitehats.com for a new signature file, SNORT
logs an ISD427 (tfn2k tcp possible communication)
Here is the auth.log dump:
Oct 16 08:01:16 thor snort[17186]: IDS427/tfn2k-tcp_possible_communication:
199.181.107.23
Oct 16 09:01:11 thor snort[17326]: IDS427/tfn2k-tcp_possible_communication:
199.181.107.23
Oct 16 10:01:12 thor snort[17470]: IDS427/tfn2k-tcp_possible_communication:
199.181.107.23

Strange is that in my /var/log/snort there is no entry for that IP so no
packets have been logged  and no actual packet data is available.

Is this normal or am i doing something wrong?

Erick A. Perez H.





More information about the Snort-users mailing list