[Snort-users] Snort logs web browsing

Phil foo_bar_00 at ...131...
Mon Apr 16 00:56:54 EDT 2001


I've got snort working (apparently you need to have -i
elxl0 on the command line in order for $elxl0_ADDRESS
to work in the config file). 

So anyway, it's running now, but it seems to be
logging ONE outbound web traffic (where X.X.X.X is my
external IP):

[**] spp_http_decode: IIS Unicode attack detected [**]
04/15-18:08:02.069333 X.X.X.X:1532 ->
207.200.81.187:80
TCP TTL:127 TOS:0x0 ID:50983 IpLen:20 DgmLen:1024 DF
***AP*** Seq: 0x8E5AC4  Ack: 0x8EC2A0F0  Win: 0x2238 
TcpLen: 20

And that IP's nslookup:
Name:    vwww-rl.netscape.com
Address:  207.200.81.187

Shows netscape.com which I didn't visit today.
Regardless, it's an outgoing connection and I don't
quite get it. Here's more relevant info:

Solaris 2.6 x86
Snort 1.7
Updated ruleset today
var HOME_NET $elxl0_ADDRESS
var EXTERNAL_NET !$HOME_NET
command used to start snort: 
/usr/local/bin/snort -A fast -s -i elxl0 -l
/var/log/snortlogs -c /etc/snort/snort.conf -D

Any help would be much appreciated.

Phil

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/




More information about the Snort-users mailing list