[Snort-users] Need help fast!

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Tue Sep 18 16:11:02 EDT 2001


Hello,

Once on Thursday I noticed an outgoing telnet connection attempt on port 23
from my web server out to the Internet. Two days later I noticed an outgoing
TFTP connection attempt (port 69) from the web same server out to the
Internet. I've never seen these type of connection attempts before and they
are definitely NOT a good sign. But even more strange is that Snort logs an
alert for these connection attempts, but does NOT log any traces! I have
never seen Snort do this before. Whenever there is an alert, there has
ALWAYS been a corresponding trace to refer to. But for each of these
connection attempts, I have nothing to refer to. I'm using Snort 1.8.1 b78
on Red Hat Linux 7.0.

My questions for the group are:

*	Has anyone seen any unexplained telnet or tftp coming from any of
their servers lately? Possibly from the new w32.nimda.a.mm worm?
*	Also, could this problem be a bug in Snort where it isn't logging
traces properly all of the time? It logs traces fine for all of my other
alerts.


Thanks,
Paul





More information about the Snort-users mailing list