[Snort-users] Unusual System Events

Joshua Wright Joshua.Wright at ...2031...
Thu Oct 18 05:31:20 EDT 2001

I am guessing that Eduard did not obfuscate his logs, and that and are on the same /24 block.  Let's not
scare him too much, eh? :)

Eduard - make sure you A. have read the excellent Snort FAQ, B. have
configured your snort.conf to indicate all of your internal networks
properly (e.g. var HOME_NET [] and var EXTERNAL_NET
!$HOME_NET), C. restart snort.

-Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright at ...2031... 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

-----Original Message-----
From: Brian [mailto:bmc at ...950...]
Sent: Thursday, October 18, 2001 7:58 AM
To: Eduard Meiler
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Unusual System Events

According to Eduard Meiler:
> Hallo,
> how can I disable these logs from my LAN ?

the real question is, why do you want to?

> Oct 18 12:00:18 wall snort: [1:583:1] RPC portmap request rstatd
> [Classification: Attempted Information Leak] [Priority: 3]: {UDP}
> ->
> Oct 18 12:14:50 wall snort: [1:1227:1] X11 outgoing [Classification:
> Traffic] [Priority: 1]: {TCP} ->

To an outsider from your network, it looks as if you got hacked via
statd, and they lanched an xterm back at themselves.

If not, you could just set your HOME_NET & EXTERNAL_NET properly.

Save the whales.  Collect the whole set.

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list