[Snort-users] Unusual System Events

Joshua Wright Joshua.Wright at ...2031...
Thu Oct 18 05:31:20 EDT 2001


I am guessing that Eduard did not obfuscate his logs, and that
192.168.200.253 and 192.168.200.55 are on the same /24 block.  Let's not
scare him too much, eh? :)

Eduard - make sure you A. have read the excellent Snort FAQ, B. have
configured your snort.conf to indicate all of your internal networks
properly (e.g. var HOME_NET [192.168.0.0/16] and var EXTERNAL_NET
!$HOME_NET), C. restart snort.

-Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright at ...2031... 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73



-----Original Message-----
From: Brian [mailto:bmc at ...950...]
Sent: Thursday, October 18, 2001 7:58 AM
To: Eduard Meiler
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Unusual System Events


According to Eduard Meiler:
> Hallo,
> 
> how can I disable these logs from my LAN ?

the real question is, why do you want to?

> Oct 18 12:00:18 wall snort: [1:583:1] RPC portmap request rstatd
> [Classification: Attempted Information Leak] [Priority: 3]: {UDP}
> 192.168.200.55:1076 -> 192.168.200.250:111
> 
> Oct 18 12:14:50 wall snort: [1:1227:1] X11 outgoing [Classification:
Unknown
> Traffic] [Priority: 1]: {TCP} 192.168.200.253:6000 -> 192.168.200.55:1116

To an outsider from your network, it looks as if you got hacked via
statd, and they lanched an xterm back at themselves.

If not, you could just set your HOME_NET & EXTERNAL_NET properly.

-- 
Save the whales.  Collect the whole set.

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list