[Snort-users] Snort logs web browsing
foo_bar_00 at ...131...
Mon Apr 16 00:56:54 EDT 2001
I've got snort working (apparently you need to have -i
elxl0 on the command line in order for $elxl0_ADDRESS
to work in the config file).
So anyway, it's running now, but it seems to be
logging ONE outbound web traffic (where X.X.X.X is my
[**] spp_http_decode: IIS Unicode attack detected [**]
04/15-18:08:02.069333 X.X.X.X:1532 ->
TCP TTL:127 TOS:0x0 ID:50983 IpLen:20 DgmLen:1024 DF
***AP*** Seq: 0x8E5AC4 Ack: 0x8EC2A0F0 Win: 0x2238
And that IP's nslookup:
Shows netscape.com which I didn't visit today.
Regardless, it's an outgoing connection and I don't
quite get it. Here's more relevant info:
Solaris 2.6 x86
Updated ruleset today
var HOME_NET $elxl0_ADDRESS
var EXTERNAL_NET !$HOME_NET
command used to start snort:
/usr/local/bin/snort -A fast -s -i elxl0 -l
/var/log/snortlogs -c /etc/snort/snort.conf -D
Any help would be much appreciated.
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
More information about the Snort-users